b'           Audit Report\n\n\n\n\nAUDIT REPORT\nINFORMATION TECHNOLOGY: Federal Information Security\nManagement Act Fiscal Year 2008 Performance Audit (OIG-08-046)\n\nSeptember 26, 2008\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                          DEPARTMENT OF THE TREASURY\n                                                 W ASHINGTON, D.C. 20220\n\n                                                   September 26, 2008\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR PETER B. MCCARTHY\n                           ASSISTANT SECRETARY FOR MANAGEMENT AND\n                           CHIEF FINANCIAL OFFICER\n\n                                      MICHAEL DUFFY\n                                      CHIEF INFORMATION OFFICER\n\n            FROM:                     Joel Grover /s/\n                                      Deputy Assistant Inspector General for Financial Management\n                                      and IT Audits\n\n            SUBJECT:                  2008 Audit of Treasury\xe2\x80\x99s Federal Information Security\n                                      Management Act Implementation\n\n            I am pleased to transmit the following reports:\n\n                \xe2\x80\xa2   Federal Information Security Management Act Fiscal Year 2008 Performance\n                    Audit\xe2\x80\x93September 26, 2008\n                \xe2\x80\xa2   Treasury Inspector General for Tax Administration (TIGTA)\xe2\x80\x93Federal Information\n                    Security Management Act Report for Fiscal Year 2008, Audit #200820024,\n                    September 10, 2008\n\n            The Federal Information Security Management Act of 2002 (FISMA) requires an annual\n            independent evaluation of the Department of the Treasury\xe2\x80\x99s information security\n            program and practices. To meet FISMA requirements, we contracted with KPMG LLP,\n            an independent certified public accounting firm, to perform the FISMA audit of\n            Treasury\xe2\x80\x99s unclassified systems, except for those of the Internal Revenue Service\n            (IRS). Attachment 1 contains the KPMG report and our Office of Management and\n            Budget submission 1 , which incorporates the responses from TIGTA. Attachment 2\n            contains TIGTA\xe2\x80\x99s evaluation of FISMA compliance for IRS systems. 2\n\n            1\n              The Office of Management and Budget Memorandum M-08-21, \xe2\x80\x9cFY 2008 Reporting Instructions for\n            the Federal Information Security Management Act and Agency Privacy Management,\xe2\x80\x9d dated July 14,\n            2008, requires completion of FISMA reporting template by the Inspector General of each agency.\n            2\n              We did not review the work performed by TIGTA to evaluate the information security program and\n            practices of IRS. Our overall conclusions, insofar as they relate to IRS, are based solely on TIGTA\xe2\x80\x99s\n            report (attachment 2). We did, however, coordinate with TIGTA on the scope and methodology,\n            including sample selection, of our respective engagements.\n\x0cPage 2\n\n\n\nBased on the results reported by KPMG and TIGTA, we determined that Treasury\xe2\x80\x99s\ninformation security program is in place and is generally consistent with FISMA. Also,\nTreasury had implemented all provisions of HSPD-7 paragraphs 1 through11.\nHowever, the KPMG audit of Treasury\xe2\x80\x99s unclassified systems (except for those of IRS)\nindicated that additional steps are required to ensure that Treasury\xe2\x80\x99s information\nsecurity risk management program and practices fully comply with applicable National\nInstitute of Standards and Technology (NIST) standards and guidelines and FISMA\nrequirements. Specifically, KPMG reported that (1) NIST FIPS 200 minimum security\ncontrol baselines were not sufficiently documented, tested, and/or implemented; (2)\ncomputer security incidents were not consistently reported timely or correctly\ncategorized; (3) common security configuration baselines were not fully compliant; and\n(4) federal desktop core configurations were not fully implemented.\n\nTIGTA reported that IRS had made significant improvements in the areas of security\nidentified as needing improvement in TIGTA\xe2\x80\x99s 2007 FISMA evaluation and had\nimproved the efficiency of its certification and accreditation process. Additionally,\nTIGTA found that IRS had completed certification and accreditation for the last of its\nsystems. TIGTA noted the most significant area of concern was IRS\xe2\x80\x99s implementation\nof configuration management standards.\n\nIf you have any questions or require further information, you may contact me at (202)\n927-5768, or Tram Dang at (202) 927-5171. For questions pertaining to the TIGTA\nFISMA evaluation, please contact Margaret E. Begg, Assistant Inspector General for\nAudit (Information Systems Programs), at (202) 622-8510.\n\n\nAttachments\n\ncc:      Edward A. Roback, Associate Chief Information Officer, Cyber Security\n\x0c            ATTACHMENT 1\n\nFederal Information Security Management Act\n    Fiscal Year 2008 Performance Audit,\n             September 26, 2008\n\x0cUnited States Department of the Treasury\nFederal Information Security Management Act\nFiscal Year 2008 Performance Audit\n\n\n\n         Prepared for the United States Department of the Treasury\n                                    Office of the Inspector General\n\n                                          Prepared by KPMG LLP\n\n\n\n                                                 September 26, 2008\n\x0c                                                     TABLE OF CONTENTS\n\nFISMA PERFORMANCE AUDIT REPORT\nEXECUTIVE SUMMARY .......................................................................................................................... 1\nBACKGROUND .......................................................................................................................................... 4\nOBJECTIVE, SCOPE, AND METHODOLOGY ........................................................................................ 8\nRESULTS ................................................................................................................................................... 12\nCONCLUSIONS......................................................................................................................................... 18\nMANAGEMENT RESPONSE TO DRAFT REPORT .............................................................................. 19\n\nAPPENDICES\nAPPENDIX I - OIG RESPONSE TO THE FY 2008 OMB FISMA REPORTING QUESTIONS .......... I-1\nAPPENDIX II \xe2\x80\x93 APPROACH TO THE SELECTION OF THE SUBSET OF SYSTEMS .................... II-1\nAPPENDIX III - ACRONYM LISTING.................................................................................................III-1\n\x0c                                 KPMG LLP\n                                 2001 M Street, NW\n                                 Washington, DC 20036\n\n\n\n\nEXECUTIVE SUMMARY\n\nSeptember 26, 2008\n\nJoel Grover\nDeputy Assistant Inspector General for Financial Management and Information Technology Audits\nUnited States Department of the Treasury\n740 15th Street, N.W., Suite 600\nWashington, D.C. 20220\n\nDear Mr. Grover:\n\nThis report presents the results of our performance audit conducted to address the objectives relative to\nthe Fiscal Year (FY) 2008 Federal Information Security Management Act of 2002 (FISMA) of the 12\nnon-Internal Revenue Service (IRS) bureaus of the United States Department of the Treasury (Treasury).\nThe IRS was not included within the scope of this FISMA audit. The Treasury Inspector General for Tax\nAdministration (TIGTA) performed the FISMA evaluation of the IRS. As part of this FISMA audit, we\nonly incorporated the results of the TIGTA FISMA evaluation of the IRS into the Office of Management\nand Budget (OMB) FY 2008 FISMA Reporting Template (See Appendix I). Our audit was performed\nduring the period of May 13 through August 29, 2008. The Treasury Office of the Inspector General\n(OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit of the Treasury\xe2\x80\x99s non-IRS\ninformation security program and practices pursuant to FISMA.\n\nWe conducted this performance audit in accordance with the standards applicable to such audits contained\nin Generally Accepted Government Auditing Standards (GAGAS), issued by the Comptroller General of\nthe United States. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nThe objectives of our audit were to determine as of June 30, 2008, whether non-IRS Treasury bureaus had\nimplemented:\n\n\xe2\x80\xa2   An information security program, consisting of plans, policies, procedures, and security controls,\n    consistent with FISMA1\n\xe2\x80\xa2   The security control catalog contained in the National Institute of Standards and Technology (NIST)\n    Special Publication (SP) 800-53 Revision 2 (Rev. 2) Recommended Security Controls for Federal\n    Information Systems\n\xe2\x80\xa2   Plans for protecting the physical and cyber critical infrastructure and key resource (CI/KR) consistent\n    with paragraphs 1 through 11 of Homeland Security Presidential Directive (HSPD)-7, Critical\n    Infrastructure Identification, Prioritization, and Protection.\n\n\n\n1\n This objective includes the completion of the OMB FY 2008 FISMA Reporting Template for IGs, which is\npresented in Appendix I of this report.\n\n                                                                                                        Page 1\n                                    KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                    a member of KPMG International, a Swiss cooperative.\n\x0cTo accomplish our objectives, KPMG evaluated controls in accordance to applicable legislation;\nPresidential directives; OMB policy; and NIST standards and guidelines. We reviewed the Treasury\ninformation security program from both the Top-Down Department level for Treasury-wide program\nlevel controls and Bottom-Up Bureau level implementation perspective, including the implementation of\nthe security control catalog outlined in NIST SP 800-53 Rev. 2. We also reviewed Treasury\xe2\x80\x99s progress in\npreparing plans to protect information technology (IT)-related CI/KR. We considered each area above to\nreach conclusions with regard to the adequacy of the Treasury\xe2\x80\x99s information security program and\npractices.\n\nDuring our FY 2008 audit, we noted that the 12 non-IRS Treasury bureaus have made progress in\nimproving information security controls and practices.2 Following our 2007 security evaluation, Treasury\nstrengthened its inventory reporting and Plan of Action and Milestones (POA&M) processes by more\neffectively using the Trusted Agent FISMA (TAF) system to serve as the consolidated FISMA inventory\nsystem of record for Treasury and as the POA&M centralized, Treasury-wide system for tracking IT\nsecurity weaknesses.3\n\nBased on our 2008 FISMA audit, we determined that Treasury had implemented all provisions of\nHSPD-7 and OMB Memorandum 04-15 Development of Homeland Security Presidential Directive\n(HSPD) - 7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key\nResources. This included the development of critical infrastructure plans in identifying, prioritizing,\nprotecting, and planning for contingencies related to IT-related CI/KR of Treasury bureaus and those\nunder direction and control of the Office of the Chief Information Officer (OCIO).\n\nHowever, we also noted areas needing improvement where Treasury should take additional steps to\nensure that its information security risk management program and practices fully comply with applicable\nNIST standards and guidelines and FISMA requirements. Specifically:\n\n    1. NIST Federal Information Processing Standards (FIPS) 200 Minimum Security Control\n       Baselines Were Not Sufficiently Documented, Tested, and/or Implemented. Treasury has\n       made progress in addressing information security risk management requirements as required by\n       FISMA and NIST, including the certification and accreditation of information systems and the\n       implementation of minimum security controls outlined in NIST FIPS 200 and NIST SP 800-53\n       Rev. 2. However, we noted that the minimum security controls required by NIST FIPS 200 were\n       not documented, tested, and/or implemented for the eight (8) non-IRS information systems (or\n       35% of the representative subset of Treasury information systems) reviewed as part of our\n       representative subset of Treasury information systems. In addition, one (1) deficiency related to\n       certification and accreditation documentation in our FY 2007 report had not been resolved.\n\n    2. Computer Security Incidents Were Not Consistently Reported Timely or Correctly\n       Categorized. Nine (9) computer security incidents across six (6) bureaus were not assigned the\n       correct United States Computer Emergency Readiness Team (US-CERT) incident categorization\n       as required by Treasury policy, and nine (9) other computer security incidents across seven (7)\n       bureaus were not reported within the timeframes outlined by the US-CERT.\n\n    3. Common Security Configuration Baselines Were Not Fully Compliant. Treasury has\n       established a Department-wide configuration management policy requiring all information\n       systems to implement NIST SP 800-70 common security configuration baselines. However, we\n\n2\n The FISMA evaluation of the IRS is performed by TIGTA.\n3\n TAF is an enterprise tool for aggregating data reported by Treasury bureaus to gauge how well the Department is\ncomplying with key information security practices and controls.\n\n                                                                                                           Page 2\n\x0c       noted two (2) systems (or 17% of the representative subset of Treasury information systems) had\n       not utilized NIST SP 800-70 common security configurations.\n\n   4. Federal Desktop Core Configurations Were Not Fully Implemented. Treasury has made\n      substantial progress in the implementation of Federal Desktop Core Configuration (FDCC) secure\n      configuration baselines since the issuance of OMB Memorandum 07-11, Implementation of\n      Commonly Accepted Security Configurations for Windows Operating Systems. However, we\n      noted four (4) bureaus had not completed the implementation and validation of FDCC secure\n      baseline configurations.\n\nAs part of the FISMA audit of the non-IRS systems at Treasury, we assessed the effectiveness of\nTreasury\xe2\x80\x99s information security programs and practices and the implementation of the security control\ncatalog contained in NIST SP 800-53. Overall, we determined that an information security program is in\nplace and is generally consistent with FISMA; however, Treasury did not fully comply with the\nrequirements of NIST SP 800-53, as of June 30, 2008. Specifically, we determined from a sample of\nsystems reviewed that 35% of Treasury non-IRS systems did not fully comply with NIST SP 800-53\nminimum security control catalog requirements. We are reporting exceptions with the extent NIST 800-\n53 minimum security control catalogs were documented, implemented or tested. All of our findings are\nincluded in the results section of this report, which warrants management attention and corrective action.\nManagement concurs with all reported findings and recommendations. The OCIO\xe2\x80\x99s written response to\nour draft report, dated September 15, 2008, is included within this report.\n\nThis performance audit did not constitute an audit of financial statements in accordance with Government\nAuditing Standards. KPMG was not engaged to, and did not, render an opinion on Treasury\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of OMB Circular\nNo. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting\nthe results of our evaluation to future periods is subject to the risks that controls may become inadequate\nbecause of changes in conditions or because compliance with controls may deteriorate.\n\nSincerely,\n\n\n\n\n                                                                                                    Page 3\n\x0cBACKGROUND\n\nOn December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002 (Public\nLaw 107-347). Title III of the E-Government Act of 2002, commonly referred to as FISMA, focuses on\nimproving oversight of Federal information security programs and facilitating progress in correcting\nagency information security weaknesses. FISMA requires Federal agencies to develop, document, and\nimplement an agency-wide information security program that provides security for the information and\ninformation systems that support the operations and assets of the agency, including those provided or\nmanaged by another agency, contractor, or other source. The Act assigns specific responsibilities to\nagency heads and Inspectors General (IGs) supported by security policy promulgated through OMB and\nrisk-based standards and guidelines published by NIST. For FY 2008, the OIG awarded a contract to\nKPMG to perform the FISMA audit for Treasury\xe2\x80\x99s non-IRS unclassified systems in accordance with\nGAGAS.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems. FISMA\ndirects Federal agencies to report annually to the OMB Director, Comptroller General, and selected\nCongressional committees on the adequacy and effectiveness of agency information security policies,\nprocedures, and practices and compliance with FISMA. In addition, FISMA requires agencies to have an\nannual independent evaluation performed of their information security programs and practices and to\nreport the evaluation results to OMB. FISMA states that the independent evaluation is to be performed\nby the agency IG or an independent external auditor as determined by the IG.\n\nIn support of agency responsibilities, OMB regularly issues policies through annual reporting instructions\nand other guidelines for agencies to follow in meeting FISMA annual reporting requirements.\nAdditionally, in response to the FISMA mandate and OMB policy, NIST developed standards and\nguidelines as part of a comprehensive risk management framework to assist agencies in establishing an\ninformation security management program. This risk management framework is designed to help\nagencies categorize information and systems, define minimum-security baselines, test security controls,\nauthorize systems into production, and perform monitoring activities. This includes the NIST FIPS 199,\nStandards for Security Categorization of Federal Information and Information Systems, issued in\nFebruary 2004, as the first of two mandatory security standards required by FISMA. NIST FIPS 199\nestablishes security categories for Federal agencies to use in categorizing information and information\nsystems based on the potential impact associated with the loss of confidentiality, integrity, or availability\non an agency mission or individual.\n\nNIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems is the\nsecond of the mandatory security standards developed in response to FISMA and provides direction to\nagencies in determining the minimum \xe2\x80\x9cfoundational\xe2\x80\x9d level of security controls to select for protecting the\nconfidentiality, integrity, and availability of information and systems. Specifically, the standard states\nthat selected set of security controls must include one of three appropriately tailored security control\nbaselines from NIST SP 800-53 Rev. 2, which are associated with the designated impact levels of the\norganizational information systems as determined during the security categorization process. NIST SP\n800-53 Rev. 2 features 17 control families organized into management, operational, and technical control\nareas for protecting Federal information and information systems. In accordance to security requirements\nin NIST FIPS 200, organizations must employ all security controls in the respective security control\nbaselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST SP\n800-53 Rev. 2. This includes: i) selecting an initial set of baseline security controls based on a NIST FIPS\n199 worst-case, impact analysis; ii) tailoring the baseline security controls; and iii) supplementing the\n\n                                                                                                      Page 4\n\x0csecurity controls, as necessary, based on an organizational assessment of risk. As a companion to this\nguide, NIST in July 2008 released SP 800-53A, Guide for Assessing the Security Controls in Federal\nInformation Systems, which covers both the security control assessment and continuous monitoring steps\nin the Risk Management Framework and provides guidance on the security assessment process.\n\nOn December 17, 2003, the President signed HSPD-7, which established a national policy for Federal\ndepartments and agencies to identify and prioritize United States CI/KR in order to protect them from\nterrorist-related attacks. HSPD-7 instructed Federal agencies and departments to prepare plans for the\nprotection of physical and cyber-related CI/KR, both owned and operated. On June 17, 2004, the OMB\nissued Memorandum M-04-15, with the purpose of further defining the requirements of HSPD-7, as well\nas for providing instructions for the development of Critical Infrastructure Protection (CIP) plans. The\npurpose of the CIP plan is to identify, prioritize, protect, and plan for contingencies related to the CI/KR\nof each agency and department.\n\nTreasury Information Security Management and Program\n\nTreasury is comprised of 13 operating bureaus and offices, including:\n\n\xe2\x80\xa2   Alcohol and Tobacco Tax and Trade Bureau (TTB) - Responsible for enforcing and administering\n    laws covering the production, use, and distribution of alcohol and tobacco products. TTB also collects\n    excise taxes for firearms and ammunition.\n\xe2\x80\xa2   Bureau of Engraving and Printing (BEP) - Designs and manufactures U.S. (paper) currency, many\n    stamps, securities, and other official certificates and awards.\n\xe2\x80\xa2   Bureau of the Public Debt (BPD) - Borrows the money needed to operate the Federal Government.\n    It administers the public debt by issuing and servicing U.S. Treasury marketable, savings, and special\n    securities.\n\xe2\x80\xa2   Community Development Financial Institution (CDFI) Fund - Created to expand the availability\n    of credit, investment capital, and financial services in distressed urban and rural communities.\n\xe2\x80\xa2   Departmental Offices (DO) - Primarily responsible for policy formulation. The DO is composed of\n    divisions headed by Assistant Secretaries, some of whom report to Under Secretaries.\n\xe2\x80\xa2   Financial Crimes Enforcement Network (FinCEN) - Supports law enforcement investigative\n    efforts and fosters interagency and global cooperation against domestic and international financial\n    crimes. It also provides U.S. policy makers with strategic analyses of domestic and worldwide trends\n    and patterns.\n\xe2\x80\xa2   Financial Management Service (FMS) - Receives and disburses all public monies, maintains\n    government accounts, and prepares daily and monthly reports on the status of government finances.\n\xe2\x80\xa2   IRS - Responsible for determining, assessing, and collecting internal revenue in the United States.\n\xe2\x80\xa2   Office of the Comptroller of the Currency (OCC) - Charters, regulates, and supervises national\n    banks to ensure a safe, sound, and competitive banking system that supports the citizens,\n    communities, and economy of the United States.\n\xe2\x80\xa2   OIG - Conducts and supervises audits and investigations of Treasury programs and operations. The\n    OIG also keeps the Secretary and the Congress fully and currently informed about problems, abuses,\n    and deficiencies in Treasury programs and operations.\n\xe2\x80\xa2   Office of Thrift Supervision (OTS) - The primary regulator of all Federal and many state-chartered\n    thrift institutions, which include savings banks and savings and loan associations.\n\xe2\x80\xa2   United States Mint (Mint) - Designs and manufactures domestic, bullion, and foreign coins as well\n    as commemorative medals and other numismatic items. The Mint also distributes U.S. coins to the\n    Federal Reserve banks as well as maintains physical custody and protection of our nation\xe2\x80\x99s silver and\n    gold assets.\n\n\n                                                                                                     Page 5\n\x0c\xe2\x80\xa2   TIGTA - Conducts and supervises audits and investigations of IRS programs and operations. The\n    TIGTA also keeps the Secretary and the Congress fully and currently informed about problems,\n    abuses, and deficiencies in IRS programs and operations.\n\nTreasury OCIO\n\nThe Treasury Chief Information Officer (CIO) is responsible for providing Department-wide leadership\nand direction for all areas of information and technology management, as well as the oversight of a\nnumber of IT programs. Among these programs is Cyber Security, which has responsibility for the\nimplementation and management of Treasury-wide IT security. Through its mission, the Treasury Cyber\nSecurity program develops and implements IT security policies and provides policy compliance oversight\nfor both unclassified and classified systems managed by each of Treasury\xe2\x80\x99s bureaus. The Treasury OCIO\nCyber Security program\xe2\x80\x99s mission focuses on the following areas:\n\n\xe2\x80\xa2   Cyber Security Policy and Program Performance\n\xe2\x80\xa2   Cyber Security FISMA Performance and Technical Review\n\xe2\x80\xa2   Vulnerability Analysis\n\xe2\x80\xa2   Configuration and Planning\n\xe2\x80\xa2   Cyber CIP\n\xe2\x80\xa2   TCSIRC\n\xe2\x80\xa2   Cyber Security Sub-Council (CSS) of the Treasury CIO Council.\n\nThe Treasury CIO has tasked the Associate CIO for Cyber Security (ACIOCS) with the responsibility of\nmanaging and directing the OCIO\xe2\x80\x99s Cyber Security program, as well as ensuring compliance with\nstatutes, regulations, policies, and guidance. The ACIOCS and the Cyber Security program have\nestablished Treasury Directive Publication (TD P) 85-01 Treasury Information Technology Security\nProgram as the Treasury-wide IT security policy to provide for information security for all information\nand information systems that support the mission of the Treasury, including those operated by another\nFederal agency or contractor on behalf of Treasury. In addition, as OMB periodically releases\nupdates/clarifications of FISMA, the ACIOCS and the Cyber Security program have responsibility to\ninterpret and release updated policy for Treasury. The ACIOCS and the Cyber Security program are also\nresponsible for promoting and coordinating a Treasury-wide IT security program, as well as monitoring\nand evaluating the status of Treasury\xe2\x80\x99s IT security posture and compliance with statutes, regulations,\npolicies, and guidance. Lastly, the ACIOCS and the Cyber Security program have the responsibility of\nmanaging Treasury\xe2\x80\x99s IT CIP program for Treasury assets.\n\nBureau OCIO\n\nBureau OCIO organizations are led by a bureau CIO. The bureau CIOs first have the responsibility of\nmanaging the IT security program for the bureau, as well as advising the bureau head on significant issues\nrelated to the bureau IT security program. Bureau CIOs also have the responsibility for overseeing the\ndevelopment of procedures that comply with both Treasury OCIO policy and guidance and Federal\nstatutes, regulations, policy, and guidance. Bureau Chief Information Security Officers are tasked by the\nbureau CIOs to serve as the central point of contact for the bureau\xe2\x80\x99s IT security program, as well as to\ndevelop and oversee the bureau\xe2\x80\x99s IT security program. This includes the development of policies,\nprocedures, and guidance required to implement and monitor the bureau IT security program.\n\n\n\n\n                                                                                                   Page 6\n\x0cTreasury \xe2\x80\x93 Bureau OCIO Collaboration\n\nThe Treasury OCIO has established the Treasury CIO CSS, which is chaired by the ACIOCS. The CSS\nserves as a mechanism for obtaining bureau-level input and advises on new policies, Treasury-wide IT\nsecurity activities, and performance measures. The CSS also provides a means for IT security related\ninformation sharing among bureaus. Included on the CSS are representatives from the OCIO, bureau CIO\norganizations, as well as the OIG \xe2\x80\x93 Office of IT Audits and TIGTA \xe2\x80\x93 Office of Audits.\n\n\n\n\n                                                                                             Page 7\n\x0cOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objectives of our audit were to determine as of June 30, 2008, whether non-IRS Treasury bureaus had\nimplemented:\n\n\xe2\x80\xa2   An information security program, consisting of plans, policies, procedures, and security controls\n    consistent with FISMA4\n\xe2\x80\xa2   The security controls catalog contained in the NIST SP 800-53 Rev. 2\n\xe2\x80\xa2   Plans for protecting physical and cyber CI/KR consistent with paragraphs 1 through 11 of HSPD-7.\n\nTo accomplish our objectives, KPMG evaluated controls in accordance with applicable legislation,\nPresidential directives, OMB policy, and NIST standards and guidelines. We reviewed the Treasury\ninformation security program from both the Top-Down Department Level for Treasury-wide program\nlevel controls and Bottom-Up Bureau Level implementation perspective, including NIST SP 800-53\nminimum security control baselines established by NIST FIPS 200. We also reviewed Treasury\xe2\x80\x99s\nprogress in preparing plans to protect cyber Critical Infrastructure. We considered each area above to\nreach conclusions with regard to the adequacy of Treasury\xe2\x80\x99s information security program and practices.\n\nTop-Down Department Level\n\nTo gain an overall enterprise-level understanding, KPMG assessed management, policies, and guidance\nfor the overall Treasury-wide information security program per requirements defined in FISMA and\nOMB/NIST standards, as well as guidelines developed in response to FISMA. This included program\ncontrols applicable to information security governance, security and contingency planning, certification\nand accreditation, incident response, configuration management, and security awareness and training.\n\nBottom-Up Bureau Level\n\nAs required by FISMA, KPMG also performed tests for a representative subset of 23 information systems\nto determine whether bureaus were effective in implementing Treasury\xe2\x80\x99s security program in meeting\nminimum security standards to protect information and information systems (See Appendix II detailing\nour sampling approach). The subset of systems encompassed systems managed and operated by 12 of 13\nTreasury bureaus excluding the IRS.\n\nA key component of assessing controls for the representative subset of systems was to assess\nimplementation of minimum security control requirements per guidance provided from the NIST SP 800-\n53 Rev. 2. As shown in Table 1, NIST SP 800-53 Rev. 2 features 17 control families that are organized\ninto management, operational, and technical control areas for protecting Federal information and\ninformation systems.\n\n\n\n\n4\n This objective includes the completion of the OMB FY 2008 FISMA Reporting Template for IGs, which is\npresented in Appendix I of this report.\n\n                                                                                                        Page 8\n\x0c                           Table 1: Security Control Classes and Families5\n               Security Control Class                 Security Control Family\n                                        Risk Assessment\n                                        Planning\n              Management                System and Services Acquisition\n                                        Certification, Accreditation, and Security\n                                        Assessments\n                                        Personnel Security\n                                        Physical and Environmental Protection\n                                        Contingency Planning\n                                        Configuration Management\n              Operational               Maintenance\n                                        System and Information Integrity\n                                        Media Protection\n                                        Incident Response\n                                        Awareness and Training\n                                        Identification and Authentication\n                                        Access Control\n              Technical\n                                        Audit and Accountability\n                                        System and Communications Protection\n\nIn accordance to security requirements in NIST FIPS 200, organizations must employ all security controls\nin the respective security control baselines unless specific exceptions are allowed based on the tailoring\nguidance provided in NIST SP 800-53. This includes: i) selecting an initial set of baseline security\ncontrols based on a NIST FIPS 199 worst-case, impact analysis; ii) tailoring the baseline security\ncontrols; and iii) supplementing the security controls, as necessary, based on an organizational assessment\nof risk. As a companion to this guide, NIST in July 2008 released SP 800-53A, which provides\nrecommended guidance for agencies to follow in their security control assessment and continuous\nmonitoring process. KPMG\xe2\x80\x99s control evaluation review for controls selected was based on the\nassessment steps recommended in NIST SP 800-53A.\n\nOur criteria for selecting controls within each system to review were based on the following:\n\n\xe2\x80\xa2     Highly volatile controls that have the potential to affect the greatest number of information systems,\n      such as common controls or those critical to a specific system which are likely to change over time.\n\xe2\x80\xa2     Specific high-risk controls that are crucial to the protection of a system were considered for selection\n      as part of the testing requirement. These are not necessarily the same as highly volatile controls and\n      may or may not be POA&M items.\n\xe2\x80\xa2     Testing of a system\xe2\x80\x99s security-relevant changes that occur out of the certification and accreditation\n      cycle but do not necessarily constitute a major change necessitating a new certification and\n      accreditation.\n\n\n\n\n5\n    Source: NIST SP 800-53 Rev. 2\n\n                                                                                                       Page 9\n\x0cHSPD--7\nKPMG assessed Treasury\xe2\x80\x99s progress in preparing plans to protect IT-related CI/KR, owned or operated\nincluding leased facilities. This included assessing development of CIP plans in accordance to OMB\nMemorandum 04-15. These plans must address identification, prioritization, protection, and contingency\nplanning, including recovery and reconstitution of essential capabilities. In particular, we assessed\nwhether plans address protection priorities, ability to ensure continuity of operations during a cyber\nattack, and where current capabilities are lacking, POA&Ms to achieve the necessary level of\nperformance.\n\nOther Considerations\n\nIn performing our control evaluations, KPMG interviewed key Treasury OCIO personnel who had\nsignificant information security responsibilities as well as personnel across the 12 non-IRS operating\nbureaus. We also evaluated Treasury and bureaus\xe2\x80\x99 policies, procedures, and guidelines. Lastly, we\nevaluated selected security-related documents and files, including certification and accreditation\npackages, configuration assessment results, IT service contracts, training records, and strategic and annual\nperformance plans.\n\nWe also relied on security-related audit, review, and evaluation reports issued by the OIG, Treasury, and\nthe Government Accountability Office (GAO) as of August 29, 2008. To assure ourselves that we could\nrely on pertinent information contained in these reports, we performed procedures, such as obtaining an\nunderstanding of the methodologies, assumptions, and conclusions described therein. We also performed\nprocedures to assure ourselves that computer-based data was valid and reliable when that data was\nsignificant to our evaluation findings and conclusions. Such procedures included verifying selected\nautomated data to source documentation and corroborating automated data through interviews with\nappropriate Treasury personnel.\n\nWe performed our audit at Treasury\xe2\x80\x99s headquarters offices in Washington, DC and bureau locations in\nWashington, DC, Hyattsville, MD, McLean, VA, and Parkersburg, WV during the period of May through\nAugust 2008. During our audit, we met with Treasury management to discuss our preliminary\nconclusions. Our audit was conducted in accordance with GAGAS (prescribed by the Comptroller\nGeneral of the United States) and included such tests as we considered necessary.\n\nApplicable Criteria\n\nKPMG\xe2\x80\x99s approach to this FISMA performance audit is based on Federal information security criteria\ndeveloped by NIST and OMB. NIST SPs provide guidelines that are considered essential to the\ndevelopment and implementation of agencies\xe2\x80\x99 security programs.6\n\n\xe2\x80\xa2   OMB Circular A-130, Management of Federal Information Resources\n\xe2\x80\xa2   NIST FIPS 199 Standards for Security Categorization of Federal Information and Information\n    Systems\n\n6\n Note (per OMB instructions): While agencies are required to follow NIST standards and guidance in accordance\nwith OMB policy, there is flexibility within NIST\xe2\x80\x99s guidance documents (specifically in the 800 series) in how\nagencies apply the guidance. However, NIST FIPS are mandatory. Unless specified by additional implementing\npolicy by OMB, guidance documents published by NIST generally allow agencies latitude in their application.\nConsequently, the application of NIST guidance by agencies can result in different security solutions that are equally\nacceptable and compliant with the guidance.\n\n\n\n                                                                                                             Page 10\n\x0c\xe2\x80\xa2   NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems\n\xe2\x80\xa2   NIST SP:\n    o 800-53 Rev. 2 Recommended Security Controls for Federal Information Systems\n    o 800-53A Guide for Assessing the Security Controls in Federal Information Systems\n    o 800-39 Managing Risk from Information Systems: An Organizational Perspective\n    o 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems\n    o 800-70 Security Configuration Checklists Program for IT Products: Guidance for Checklists\n        Users and Developers\n    o 800-18 Rev. 1 Guide for Developing Security Plans for Information. Technology System\n    o 800-16 Information Technology Security Training Requirements: A Role- and Performance-\n        Based Model\n    o 800-61 Computer Security Incident Handling Guide\n    o 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories\n    o 800-34 Contingency Planning Guide for Information Technology Systems\n    o 800-30 Risk Management Guide for Information Technology Systems\n\xe2\x80\xa2   OMB Memoranda\n    o 08-21 FY 2008 Reporting Instructions for the Federal Information Security Management Act and\n        Agency Privacy Management\n    o 04-04 E-Authentication Guidance for Federal Agencies\n    o 04-15 Development of Homeland Security Presidential Directive (HSPD) - 7 Critical\n        Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources\n    o 04-25 FY 2004 Reporting Instructions for the Federal Information Security Management Act\n    o 07-11 Implementation of Commonly Accepted Security Configurations for Windows Operating\n        Systems\n    o 07-18 Ensuring New Acquisitions Include Common Security Configurations\n\xe2\x80\xa2   HSPD-7 paragraphs 1 through 11\n\n\n\n\n                                                                                             Page 11\n\x0cRESULTS\n\nDuring our FY 2008 FISMA audit, we noted that the 12 non-IRS Treasury bureaus have made progress in\nimproving information security controls and practices.7 Following our 2007 security evaluation, Treasury\nstrengthened its inventory reporting and POA&M processes by more effectively using the TAF system to\nserve as the consolidated FISMA inventory system of record for the department and as the centralized\nDepartment-wide POA&M system for tracking IT security weaknesses.8\n\nBased on our FY 2008 FISMA audit, we noted four areas needing improvement. These areas are i) NIST\nFIPS 200 minimum security control baselines were not sufficiently documented, tested, and/or\nimplemented; ii) computer security incidents were not consistently reported timely or correctly\ncategorized; iii) common security configuration baselines were not fully compliant; and iv) FDCCs were\nnot fully implemented. Treasury should take additional steps to ensure that its information security risk\nmanagement program and practices fully comply with applicable NIST standards and guidelines and\nFISMA requirements.\n\nIn addition, we determined that Treasury had implemented all provisions of HSPD-7 and OMB\nMemorandum 04-15. Specifically, Treasury had implemented a program to identify, prioritize, and\nprotect all IT/cyber-related CI/KR in accordance with HSPD-7 and OMB Memorandum 04-15. We\nreviewed documentation and processes for CIP plans to determine if CI/KR are managed in accordance\nwith the applicable criteria. The Treasury OCIO Cyber Security program manages the CIP process. The\nOCIO Cyber Security program has developed a CIP policy in TD P 85-01 that was derived from guidance\nin HSPD-7 and OMB Memorandum 04-15. Additionally, the OCIO Cyber Security program developed\nCIP processes and procedures in a CIP plan in accordance with OMB Memorandum 04-15. The CIP plan\nwas finalized in December 2005 and is updated annually. The CIP plan addresses the identification,\nprioritization, and protection of IT-related CI/KR for all Treasury bureaus in three phases: prepare and\nprevent, detect and respond, and recover and reconstitute.\n\n\nFINDINGS\n\n    1. NIST FIPS 200 Minimum Security Control Baselines Were Not Sufficiently Documented,\n       Tested, and/or Implemented\n\n        Treasury has made progress in addressing information security risk management requirements as\n        required by FISMA and NIST, including the certification and accreditation of information systems\n        and the implementation of minimum security controls outlined in NIST FIPS 200 and NIST SP\n        800-53 Rev. 2. However, we noted that the minimum security controls required by NIST FIPS\n        200 were not documented, tested, and/or implemented for eight (8) systems with our\n        representative subset of non-IRS Treasury information systems. Specifically, for the eight (8)\n        information systems (or 35% of the representative subset of Treasury information systems)\n        reviewed, and one system that was identified as a deficiency in our FY 2007 report, we noted:\n\n        \xe2\x80\xa2   Instances of inadequate testing were identified over the minimum security control baselines\n            implemented for four (4) systems at BEP and three (3) systems at TTB. In addition, the\n            system security plan for each of these systems had not been updated to document the\n\n\n7\n The FISMA evaluation of the IRS is performed by TIGTA.\n8\n TAF is an enterprise tool for aggregating data reported by Treasury bureaus to gauge how well the Department is\ncomplying with key information security practices and controls.\n\n                                                                                                         Page 12\n\x0c    minimum security control baseline implemented, per NIST FIPS 200, NIST SP 800-53 Rev.\n    2, and NIST SP 800-18 Rev. 1.\n\n    Regarding the four (4) BEP systems, the system security plan was originally developed prior\n    to the release of the final version of NIST SP 800-53. As a result, the system security plan\n    only included the 17 NIST SP 800-53 control families, but not the specific controls within\n    each family. In 2008, BEP management had not yet updated the system security plan to\n    include each specific security control with the NIST SP 800-53 Rev. 2 security control\n    baseline for a system with a FIPS 199 system impact level of Moderate. Additionally, during\n    the security test and evaluation and continuous security control monitoring of the one (1) BEP\n    system, only those specific controls outlined in the original system security plan were tested.\n\n    Regarding the three (3) TTB systems, a third party was used to perform the security test and\n    evaluation and the continuous security controls monitoring. TTB management believed that\n    the methodology employed by this third party incorporated NIST SP 800-53 and NIST SP\n    800-53A to assess all minimum security controls over a three-year period. However, it was\n    found that only technical controls had been tested. TTB management also stated that the\n    results of testing over each specific NIST SP 800-53 control in the security control baseline\n    were not documented in the security test and evaluation report or in continuous security\n    controls monitoring documentation prior to granting the authority to operate in June of the FY\n    2008 FISMA reporting period.\n\n\xe2\x80\xa2   The weaknesses identified through the security test and evaluation related to one (1) system at\n    OTS selected as part of our representative subset identified that the 17 security control\n    families required by NIST FIPS 200 for a system with a NIST FIPS 199 system impact level\n    of Moderate had not been fully implemented. This system has been issued an Interim\n    Authority to Operate (IATO) by OTS because of the security control weaknesses identified\n    during the security test and evaluation. The previous OTS FISMA system inventory\n    organized systems into business process, rather then functional IT units. The authorities to\n    operate for each system in the prior OTS FISMA system inventory expired during the\n    FY 2007 FISMA reporting period. OTS elected not to recertify and accredit each system due\n    to plans to redefine the bureau\xe2\x80\x99s FISMA system inventory, which occurred in the FY 2008\n    FISMA report period. The security test and evaluation undertaken for the one (1) system\n    selected identified a number of security weaknesses relative to the NIST SP 800-53 security\n    control baseline for a Moderate system, which subsequently created an operating environment\n    that was inadequate to support full system accreditation.\n\n\xe2\x80\xa2   The contingency plan for one (1) system at the CDFI Fund was missing elements required by\n    NIST SP 800-34. This condition was also noted in the 2007 FISMA evaluation. CDFI Fund\n    management stated that sufficient resources have not been dedicated to update the plan in\n    accordance with NIST SP 800-34. In FY 2008, CDFI Fund management had only dedicated\n    limited resources to update the plan; however, the updates were not completed by the end of\n    the FISMA reporting period. CDFI Fund management estimates that the plan will be updated\n    by the end of the FY 2009 FISMA reporting period.\n\nThe Treasury OCIO Cyber Security program has implemented program-level controls for the\noversight of the certification and accreditation process across the Department. The program\ncontrols are outlined as roles and responsibilities in TD P 85-01 \xe2\x80\x93 Treasury Information\nTechnology Security Manual. This document states that one of the responsibilities of the\nACIOCS is to monitor and evaluate the status of the Treasury IT security posture by performing\n\n\n                                                                                          Page 13\n\x0ccompliance reviews of bureau IT security programs and system controls, including reviews of\ncertification and accreditation documentation. To execute this responsibility, the ACIOCS has\ndirected the Cyber Security program to perform two (2) types of monitoring and evaluation\nactivities. The first type of activity is a Technical Security Review, which includes vulnerability\nassessments, penetration tests, and configuration reviews (including FDCC). The second type of\nactivity is a Security Program Review, which encompasses reviews of bureau level policies,\nprocedures, and the certification and accreditation documentation. The ACIOCS has developed a\nplan to perform a Technical Security Review and Security Program Review at each bureau on an\nannual basis. Through the Security Program Review, the Cyber Security program performs\nprocedures to determine if a bureau has loaded all of the required FISMA artifacts into TAF and\nif the artifacts have been developed in accordance with OCIO policies, as well as OMB and\nNIST laws, policies, and guidance. However, based on the documentation provided, these\nprocedures appear to only be designed to determine if a bureau has loaded all FISMA artifacts\ninto TAF and not determine compliance with Treasury policy, as well as OMB and NIST laws,\npolicy, and guidance.\n\nThe Treasury OCIO Cyber Security program is performing these activities as stated. However,\noversight and improvements by the ACIOCS and the Cyber Security program are needed to\nensure a consistent approach to the design, implementation, and/or testing of NIST SP 800-53\nminimum security control baselines required by NIST FIPS 200. While it was noted that a\nSecurity Program Review was conducted at all 12 non-IRS Treasury bureaus during the FY 2008\nFISMA reporting period, we were unable to determine if these reviews would identify the\nspecific deviations identified.\n\nIn all cases noted above, there is a risk that the confidentiality, integrity, and availability of the\nbureau\xe2\x80\x99s sensitive or Personally Identifiable Information (PII) and information systems that\nsupport the mission of the bureau are susceptible to compromise by not applying minimum\nsecurity standards in accordance to NIST FIPS 200 requirements.\n\nFor BEP, we recommend that management:\n\n  1. The system security plan be updated to include all baseline security controls for a system\n     with a FIPS 199 system impact level of Moderate.\n\n  2. All security controls be tested within the NIST FIPS 200 minimum security control\n     baseline, based on the system\xe2\x80\x99s FIPS 199 system impact level during the systems\n     recertification and accreditation in the FY 2009 FISMA reporting period, or during the\n     next three-year certification and accreditation period through continuous monitoring.\n\nFor TTB, we recommend that management:\n\n  3. Implement, document, and test management, operational, and technical security controls\n     across each of the 17 security control families of NIST SP 800-53 Rev. 2.\n\n  4. Re-consider the decision to issue a full authority to operate based on the assessment of the\n     implementation of the management, operational, and technical security controls across all\n     17 security controls families of NIST SP 800-53 Rev. 2.\n\n  5. Review its certification and accreditation process to prevent other systems from being\n     granted full authority to operate when NIST FISP 200 minimum security standards are not\n     met.\n\n                                                                                             Page 14\n\x0c        For OTS, we recommend that management:\n\n          6. Continue with bureau plans to resolve the security weaknesses identified during the\n             certification and accreditation process by the end of the interim authorization period,\n             December 31, 2008, and achieve a full authority to operate during the FY 2009 FISMA\n             reporting period.\n\n        For CDFI, we recommend that management:\n\n          7. The one (1) system contingency plan be updated to include a business impact analysis and\n             equipment replacement strategy in accordance with NIST SP 800-34.\n\n        In addition, we recommend that the Treasury OCIO management:\n\n          8. Provide additional oversight to monitor and enforce compliance with Treasury OCIO\n             policies, as well as OMB and NIST laws, policies, and guidance with respect to the\n             documentation, implementation, and testing of the minimum security control baselines\n             required by NIST FIPS 200.\n\n2. Computer Security Incidents were not Consistently Reported Timely or Correctly Categorized\n\n   We reviewed thirty-eight (38) computer security incidents out of a population of 147, and noted the\n   following discrepancies:\n\n   \xe2\x80\xa2   Nine (9) computer security incidents across six (6) bureaus were not assigned the correct US-\n       CERT incident categorization as required by Treasury Chief Information Officer (TCIO)\n       Memorandum 06-12, Cyber Security Incident Response (Non-National Security Systems) and\n       TCIO Memorandum 08-02, Cyber Security Incident Handling Guidelines and Clarifications for\n       Treasury Directive Publication 85-01. Of the nine (9) computer security incidents, one (1)\n       involved a breach of PII and eight (8) involved the loss of portable computing equipment.\n\n   \xe2\x80\xa2   Three (3) computer security incidents across three (3) bureaus were not reported within the\n       timeframes outlined by the US-CERT.\n\n   TCIO Memorandum 06-02, Cyber Security Incident Response (Non-National Security Systems)\n   requires that each bureau\xe2\x80\x99s Computer Security Incident Response Capability (CSIRC) categorize\n   significant incidents based on the US-CERT definitions for Category 1-4 computer security incidents.\n   Table 2 outlines the US-CERT definitions of Category 1-4 computer security incidents.\n\n\n\n\n                                                                                               Page 15\n\x0c                      Table 2: US-CERT Definition of Category 1-4 Computer Security Incidents9\n                            Category\n          Category                                      Description                    Reporting Timetable\n                             Name\n       Category 1         Unauthorize      In this category, an individual          Within one (1) hour of\n                          d Access         gains logical or physical access         discovery/detection.\n                                           without permission to a Federal\n                                           agency network, system,\n                                           application, data, or other\n                                           resource.\n       Category 2         Denial of        An attack that successfully              Within two (2) hours of\n                          Service          prevents or impairs the normal           discovery/detection if the\n                          (DoS)            authorized functionality of              successful attack is still\n                                           networks, systems, or applications       ongoing and the agency is\n                                           by exhausting resources. This            unable to successfully\n                                           activity includes being the victim       mitigate activity.\n                                           or participating in the DoS.\n       Category 3         Malicious        Successful installation of               Daily Note: Within one (1)\n                          Code             malicious software (i.e., virus,         hour of discovery/detection\n                                           worm, spyware, bots, Trojan              if widespread across\n                                           horse, or other code-based               agency.\n                                           malicious entity that infects or\n                                           affects an operating system or\n                                           application). Agencies are NOT\n                                           required to report malicious logic\n                                           that has been successfully\n                                           quarantined by antivirus (AV)\n                                           software.\n       Category 4         Improper         A person violates acceptable             Weekly.\n                          Usage            computing use policies.\n\n      In addition, per TCIO Memorandum 06-02, the Department of Homeland Security has clarified that a\n      US-CERT category 1 computer security incident reporting level should be used for physical loss of\n      equipment that could result in unauthorized access to systems or information.\n\n      Our analysis concluded that improvements are needed to provide for an enterprise-wide approach to\n      the TCSIRC processes. The policy specifies that the TCSIRC serves as the central clearing house for\n      external computer security incident reporting. In addition, Treasury OCIO policy also states that it is\n      the responsibility of each bureau-level CSIRC to create computer security incident response training\n      programs, or to include computer security incident response training with their specialized security\n      training programs. However, the Treasury OCIO Cyber Security program and the TCSIRC are not\n      providing the needed oversight to ensure the consistency and adequacy of the computer incident\n      response training programs at each non-IRS bureau.\n\n      Late or mis-categorized computer security incidents could limit Treasury\xe2\x80\x99s ability to timely and\n      accurately report computer security incidents according to policies and procedures.\n\n\n\n\n9\n    Source: Treasury CIO Memorandum 06-02 Cyber Security Incident Response (Non-National Security Systems)\n\n                                                                                                        Page 16\n\x0c   We recommend that the ACIOCS:\n\n   9. Evaluate viable alternatives to improve bureau level awareness capabilities by providing and/or\n      assisting bureaus with the development and implementation of incident response awareness\n      programs.\n\n3. Common Security Configuration Baselines Were Not Fully Compliant\n\n   Treasury has established a Department-wide configuration management policy requiring all\n   information systems to implement NIST SP 800-70 common security configuration baselines.\n   However, we noted one (1) system at BPD and one (1) system at OTS (or 17% of the representative\n   subset of Treasury information systems) had not utilized NIST SP 800-70 common security\n   configurations. Common security configuration baselines were not developed for the one (1) system\n   at BPD at time of fieldwork. In addition, competing resource requirements at OTS have prevented\n   NIST SP 800-70 common security configuration baselines from being fully utilized to-date.\n\n   By not having a NIST SP 800-70 compliant secure configuration baseline documented and\n   implemented, the ability of these bureaus to apply a consistent security configuration across platforms\n   and operating systems may be impaired. This could lead to the increased risk of exposure relative to\n   the confidentiality, integrity, and availability of sensitive information and information systems\n   controlled by these operating systems.\n\n   We recommended that:\n\n   10. Both BPD and OTS utilize NIST SP 800-70 common security configurations on the two (2)\n       systems reported.\n\n4. Federal Desktop Core Configurations Were Not Fully Implemented\n\n   Treasury has made substantial progress in the implementation of FDCC secure configuration\n   baselines since the issuance of OMB Memorandum 07-11. However, we noted that DO, FinCEN, the\n   OIG, and OTS had not completed the implementation and validation of FDCC secure baseline\n   configurations. First, at DO and the OIG, current network technology limitations have prevented\n   them from implementing FDCC secure configuration baselines on all instances of the Microsoft\n   Windows XP operating system. Second, at FinCEN, a lack of technical knowledge has prevented the\n   bureau from fully implementing FDCC secure configuration baselines across all instances of the\n   Microsoft Windows XP operating system. Third, OTS management indicated that unclear guidance\n   from NIST and a constantly changing FDCC baseline has resulted in OTS being unable to fully test\n   and implement all FDCC baseline configurations. However, OTS management also stated that\n   several controls have been implemented to mitigate the potential risk posed by not implementing all\n   FDCC secure configurations.\n\n   By not applying the FDCC secure baseline configuration requirements for Windows XP, Treasury\n   information systems are under increased risk of exposure relative to the confidentiality, integrity, and\n   availability of sensitive information and information systems controlled by these operating systems.\n\n   We recommend that:\n\n   11. DO, FinCEN, the OIG, and OTS work to implement FDCC secure configuration baselines on all\n       Microsoft Windows XP workstations.\n\n\n                                                                                                  Page 17\n\x0cCONCLUSIONS\n\nAs part of the FISMA audit of the non-IRS systems at Treasury, we assessed the effectiveness of\nTreasury\xe2\x80\x99s information security programs and practices and the implementation of the security control\ncatalog contained in NIST SP 800-53. Overall, we determined that an information security program is in\nplace and is generally consistent with FISMA; however, Treasury did not fully comply with the\nrequirements of NIST SP 800-53, as of June 30, 2008. Specifically, we determined from a sample of\nsystems reviewed that 35% of Treasury non-IRS systems did not fully comply with NIST SP 800-53\nminimum security control catalog requirements. We are reporting exceptions with the extent NIST 800-\n53 minimum security control catalogs were documented, implemented or tested. All of our findings are\nincluded in the results section of this report, which warrants management attention and corrective action.\n\nAdditionally, we obtained evidence to assess Treasury\xe2\x80\x99s compliance with HSPD-7 paragraphs 1-11 and\nrelated OMB guidance. We determined that Treasury had implemented all provisions of HSPD-7\nparagraphs 1-11 and related OMB guidance, and included the development of critical infrastructure plans\nin identifying, prioritizing, protecting, and planning for contingencies related to IT-related CI/KR of\nTreasury bureaus and those under direction and control of the OCIO.\n\n\n\n\n                                                                                                  Page 18\n\x0cMANAGEMENT RESPONSE TO DRAFT REPORT\n\nThe following is the OCIO\xe2\x80\x99s response to the draft FISMA FY 2008 Performance Audit report dated,\nSeptember 15, 2008.\n\n\n\n\n                                                                                             Page 19\n\x0cPage 20\n\x0cPage 21\n\x0cPage 22\n\x0cPage 23\n\x0cAPPENDIX I - OIG RESPONSE TO THE FY 2008 OMB FISMA REPORTING\nQUESTIONS\n\nOMB\xe2\x80\x99s FY2008 FISMA Reporting Template for IGs includes the following questions, which are to be\naddressed by the Treasury OIG and TIGTA:10\n\n\xe2\x80\xa2    Question 1 \xe2\x80\x93 FISMA Systems Inventory\n\xe2\x80\xa2    Question 2 \xe2\x80\x93 Certification and Accreditation, Security Controls Testing, and Contingency Plan\n     Testing\n\xe2\x80\xa2    Question 3 \xe2\x80\x93 Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System\n     Inventory\n\xe2\x80\xa2    Question 4 \xe2\x80\x93 Evaluation of Agency POA&M Process\n\xe2\x80\xa2    Question 5 \xe2\x80\x93 IG Assessment of the Certification and Accreditation Process\n\xe2\x80\xa2    Question 6 \xe2\x80\x93 IG Assessment of the Privacy Impact Assessment (PIA) Process11\n\xe2\x80\xa2    Question 7 \xe2\x80\x93 IG Assessment of the Agency Privacy Program12\n\xe2\x80\xa2    Question 8 \xe2\x80\x93 Configuration Management\n\xe2\x80\xa2    Question 9 \xe2\x80\x93 Incident Reporting\n\xe2\x80\xa2    Question 10 \xe2\x80\x93 Security Awareness Training\n\xe2\x80\xa2    Question 11 \xe2\x80\x93 Collaborative Web Technologies and Peer-to-peer File Sharing\n\xe2\x80\xa2    Question 12 \xe2\x80\x93 E-Authentication Risk Assessments\n\nThe responses to OMB\xe2\x80\x99s questions have been divided into the two sections below. The first section\nentitled \xe2\x80\x9cDetailed Description of the Responses to the FY 2008 Reporting Template for IGs\xe2\x80\x9d includes the\nanalysis and conclusions used to complete the reporting template for the non-IRS bureau of the Treasury.\n\nThe second section contains the FY 2008 Reporting Template for IGs. The Treasury\xe2\x80\x99s responses to the\nFY 2008 FISMA Reporting Instructions for the FISMA and Agency Privacy Management contained in\nOMB Memorandum 08-21 represented the consolidation of the responses for the IRS developed by the\nTIGTA and the responses for all 12 non-IRS bureaus developed by KPMG, under contract with the\nTreasury OIG. KPMG does not take responsibility for the evaluation performed by TIGTA over the IRS.\n\nDetailed Description of the Responses to the FY 2008 Reporting Template for IGs13\n\n         FISMA System Inventory/Evaluation of Agency Oversight of Contractor Systems and Quality\n         of Agency System Inventory (Questions 1&3)\n\n         Treasury implemented the TAF during the FY 2007 FISMA reporting period as the centralized\n         repository for all Treasury systems and FISMA-related artifacts. Since its implementation, TAF\n         has helped improve the quality of the Department\xe2\x80\x99s FISMA system inventory by serving as a\n         centralized repository for common FISMA artifacts across the Department. The Treasury OCIO\n         Cyber Security program has issued policy and guidance on TAF usage and provides training for\n\n10\n   The Treasury\xe2\x80\x99s IGs include both the Treasury OIG and TIGTA.\n11\n   A separate performance audit report on the Treasury\xe2\x80\x99s compliance with Section 522, Division H of the\nConsolidated Appropriations Act, 2005, and the provisions of OMB Memorandum 07-16 Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information will be issued.\n12\n   A separate performance audit report on the Treasury\xe2\x80\x99s compliance with Section 522, Division H of the\nConsolidated Appropriations Act, 2005, and the provisions of OMB Memorandum 07-16 Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information will be issued.\n13\n   Individual non-IRS bureaus have been notified of the detail observations identified during fieldwork separately.\n\n                                                                                                          Page I-1\n\x0call new users. No discrepancies were identified with respect to the completeness or quality of the\nFISMA systems inventory.\n\nFor the system selected in our representative subset operated by a contractor, we noted that\nTreasury had implemented policies and oversight procedures for contractor systems. We noted\nthat contracts contain terms and conditions that stipulated agency and contractor responsibilities\nrelated to FISMA. In addition, Memoranda of Understanding are in place to define\nresponsibilities of both the agency and the contractor with respect to the information system\nsecurity.\n\nCertification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n(Question 2)\n\nTreasury has followed documented policies and procedures for certification and accreditation,\nsecurity controls testing, and contingency plan testing. However, one (1) Treasury system\nselected within our representative subset of information systems is operating with an IATO. Per\nNIST SP 800-37, an IATO does not represent a full system accreditation. Lastly, with the\nexception of the systems within this Treasury bureau\xe2\x80\x99s FISMA systems inventory, Treasury has\ntested the security controls and contingency plans for all systems within our representative subset\nof systems during the FY 2008 FISMA reporting period.\n\nEvaluation of Agency POA&M Process (Question 4)\n\nTreasury has implemented policies for the creation and maintenance of POA&Ms and has\nimplemented the TAF system to serve as the centralized, Department-wide system for tracking\nIT security weaknesses. Treasury CIO Memorandum, 06-01 Improving the Department\xe2\x80\x99s\nSecurity Plan of Action and Milestone (POA&M) Process provides guidance for the inclusion of\nIT security weaknesses in POA&Ms and for the prioritization of POA&Ms weaknesses. The\nTreasury OCIO Cyber Security program also requires bureaus to follow OMB Memorandum 04-\n25, FY 2004 Reporting Instructions for the Federal Information Security Management Act as\nguidance for properly document and reporting POA&Ms weaknesses.\n\nTreasury is using the TAF system to track all known weaknesses from all sources, including IG\nreports, on a continuous basis. Each weakness has been documented in accordance with OMB\nMemorandum 04-25 and has been prioritized. For weaknesses that were not uploaded into TAF,\nwe noted that a bureau system-level POA&M for each of those weaknesses existed. TAF also\nallows for the continuous updating bureau-level POA&Ms with newly identified weaknesses and\nthe status of exist weaknesses. Individual bureaus are permitted to have internal POA&M\nweakness tracking mechanisms, however quarterly updates must be made to TAF.\n\nIG Assessment of the Certification and Accreditation (C&A) Process/Implementation of the\nSecurity Control Catalog Contained in NIST SP 800-53 Rev.2 (Question 5)\n\nRefer to Finding No. 1 in the Results section of this report on page 12.\n\n\nConfiguration Management (Question 8)\n\nRefer to Finding No. 3 and No. 4 in the Results section of this report on page 17.\n\n\n\n                                                                                          Page I-2\n\x0cIncident Reporting (Question 9)\n\nRefer to Finding No. 2 in the Results section of this report on page 15.\n\nSecurity Awareness Training (Question 10)\n\nTreasury has implemented policy in TD P 85-01 that requires each bureau CIO to ensure IT\nsecurity awareness training is provided annually to IT users (i.e., full time employees,\ncontractors, and any other individuals with system access) in accordance with applicable\nguidance. In addition, new hires and new contractors are required to attend security awareness\ntraining prior to being granted access to information systems. Lastly, all employees and\ncontractors are required to attend security awareness refresher training on an annual basis.\n\nTreasury has improved its security awareness training program since the FY 2007 FISMA\nreporting period. Out of a sample of 360 employees and contractors across the Department, only\nfive (5) did not attend IT security awareness training within the FY 2008 FISMA reporting\nperiod. Of these five (5), two (2) were outside visitors who require periodic network access for\ntraining and meetings. However, the network accounts belonging to these individuals were\ndisabled at the time of fieldwork. We noted that these deviations represented only a minimal rate\nof control failure, based on the total sample size of 360 employees and contractors across all 12\nnon-IRS bureaus, and did not represent a control weakness.\n\nCollaborative Web Technologies and Peer-to-Peer File Sharing (Question 11)\n\nTreasury has established a Department-wide policy in TD P 85-01 for the inclusion of\ncollaborative web technologies and peer-to-peer file sharing in IT security awareness training\nprograms. TD P 85-01 requires bureaus to approve the use of all software, while use of pirated\nsoftware is prohibited. In addition, bureaus must approve all software use. The TD P 85-01 also\nreferences the OMB Memorandum M-04-26, Personal Use Policies and \xe2\x80\x9cFile-Sharing\xe2\x80\x9d\nTechnology for additional guidance pertaining to use of peer-to-peer technology. In addition, all\nnon-IRS bureaus have incorporated collaborative web technologies and peer-to-peer file sharing\nwithin their IT security awareness training programs.\n\nE-Authentication Risk Assessments (Question 12)\n\nTreasury has established a Department-wide policy in TD P 85-01, which requires bureaus to\nconduct an e-authentication risk analysis in accordance with OMB Memorandum 04-04 E-\nAuthentication Guidance for Federal Agencies. Bureaus have either validated that an E-\nauthentication risk assessment was not required by completing a questionnaire to determine the\ntypes of information the system is processing or by identifying the type of transactions the\nsystem is processing in the security plan. Three (3) of twenty-three (23) systems selected in our\nrepresentative subset of Treasury information systems required an E-Authentication Risk\nAssessment. Each had an E-Authentication Risk Assessment in accordance with OMB\nMemorandum 04-04.\n\n\n\n\n                                                                                        Page I-3\n\x0cOMB FY 2008 Reporting Template for IGs\n\n                                                                 Question 1: FISMA Systems Inventory\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by Component/Bureau and FIPS 199 system impact level\n(high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of\nan agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore,\nself-reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient.\nAgencies and service providers have a shared responsibility for FISMA compliance.\n\n                                  Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and\npercentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan\ntested in accordance with policy.\n                                                                Question 1                                                              Question 2\n                                             a.                     b.                     c.                        a.                     b.                   c.\n                                       Agency Systems       Contractor Systems      Total Number of          Number of systems     Number of systems     Number of systems\n                                                                                        Systems                certified and        for which security       for which\n                                                                                      (Agency and               accredited          controls have been   contingency plans\n                                                                                   Contractor systems)                             tested and reviewed   have been tested in\n                                                                                                                                     in the past year     accordance with\n                                                                                                                                                               policy\n\n\n                                                                                                Total\n                FIPS 199 System                Number                 Number        Total                     Total     Percent     Total     Percent     Total     Percent\nBureau Name                          Number                 Number                             Number\n                Impact Level                   Reviewed               Reviewed     Number                    Number     of Total   Number     of Total   Number     of Total\n                                                                                               Reviewed\nBEP             High                       2            0         0           0           2              0         0         0            0        0           0            0\n                Moderate                  39            3         2           0          41              3         3      100%            3     100%           3         100%\n                Low                        9            1         0           0           9              1         1      100%            1     100%           1         100%\n                Not Categorized            0            0         0           0           0              0         0         0            0        0           0            0\n\n\n\n\n                                                                                                                                                              Page I-9\n\x0c                                                          Question 1                                                           Question 2\n                                       a.                     b.                   c.                        a.                    b.                   c.\n                                 Agency Systems       Contractor Systems    Total Number of          Number of systems    Number of systems     Number of systems\n                                                                                Systems                certified and       for which security       for which\n                                                                              (Agency and               accredited         controls have been   contingency plans\n                                                                           Contractor systems)                            tested and reviewed   have been tested in\n                                                                                                                            in the past year     accordance with\n                                                                                                                                                      policy\n\n\n                                                                                       Total\n              FIPS 199 System            Number                 Number      Total                     Total    Percent     Total     Percent     Total     Percent\nBureau Name                     Number                Number                          Number\n              Impact Level               Reviewed               Reviewed   Number                    Number    of Total   Number     of Total   Number     of Total\n                                                                                      Reviewed\n              Sub-total             50            4        2           0        52               4         4      100%           4      100%          4        100%\nBPD           High                   2            0        0           0         2               0         0         0           0         0          0            0\n              Moderate              12            2        0           0        12               2         2      100%           2      100%          2        100%\n              Low                    6            1        0           0         6               1         1      100%           1      100%          1        100%\n              Not Categorized        0            0        0           0         0               0         0         0           0         0          0            0\n              Sub-total             20            3        0           0        20               3         3     100%            3      100%          3        100%\nCDFI          High                   0            0        0           0         0               0         0         0           0         0          0           0\n              Moderate               2            0        0           0         2               0         0         0           0         0          0           0\n              Low                    1            0        0           0         1               0         0         0           0         0          0           0\n              Not Categorized        0            0        0           0         0               0         0         0           0         0          0           0\n              Sub-total              3            0        0           0         3               0         0         0           0         0          0            0\nDO            High                  11            1        3           1        14               2         2      100%           2      100%          2        100%\n              Moderate              22            2        6           1        28               3         3      100%           3      100%          3        100%\n              Low                   13            3        2           0        15               3         3      100%           3      100%          3        100%\n              Not Categorized        0            0        0           0         0               0         0         0           0         0          0            0\n              Sub-total             46            6       11           2        57               8         8      100%           8     100%           8       100%\nFinCEN        High                   5            0        0           0         5               0         0         0           0         0          0           0\n              Moderate               2            0        0           0         2               0         0         0           0         0          0           0\n              Low                    1            0        0           0         1               0         0         0           0         0          0           0\n              Not Categorized        0            0        0           0         0               0         0         0           0         0          0           0\n              Sub-total              8            0        0           0         8               0         0         0           0         0          0            0\n\nFMS           High                   8            0         3          0        11               0         0         0           0        0           0           0\n              Moderate              32            3         2          0        34               3         3      100%           3     100%           3        100%\n              Low                    9            1         0          0         9               1         1      100%           1     100%           1        100%\n\n\n\n                                                                                                                                                   Page I-10\n\x0c                                                    Question 1                                                        Question 2\n                                a.                      b.                   c.                     a.                    b.                   c.\n                          Agency Systems        Contractor Systems    Total Number of       Number of systems    Number of systems     Number of systems\n                                                                          Systems             certified and       for which security       for which\n                                                                        (Agency and            accredited         controls have been   contingency plans\n                                                                     Contractor systems)                         tested and reviewed   have been tested in\n                                                                                                                   in the past year     accordance with\n                                                                                                                                             policy\n\n\n                                                                                 Total\n       FIPS 199 System            Number                  Number      Total                  Total    Percent     Total     Percent     Total     Percent\n                         Number                 Number                          Number\n       Impact Level               Reviewed                Reviewed   Number                 Number    of Total   Number     of Total   Number     of Total\n                                                                                Reviewed\n       Not Categorized        0             0         0          0         0            0         0         0          0         0           0           0\n       Sub-total             49             4         5          0        54            4         4      100%          4      100%           4        100%\nIRS    High                   4             0         0          0         4            0         0          0         0          0          0            0\n       Moderate             184            14         6          1       190           15        15      100%         15      100%          15        100%\n       Low                   53             7         0          0        53            7         7      100%          7      100%           7        100%\n       Not Categorized        0             0         0          0         0            0         0         0          0         0           0           0\n       Sub-total            241            21         6          1       247           22        22      100%         22      100%          22        100%\nMint   High                   0             0         0          0         0            0         0          0         0          0          0            0\n       Moderate              15             0         1          0        16            0         0          0         0          0          0            0\n       Low                    3             0         0          0         3            0         0          0         0          0          0            0\n       Not Categorized        0             0         0          0         0            0         0          0         0          0          0            0\n       Sub-total             18             0         1          0        19            0         0          0         0          0          0            0\nOCC    High                   0             0         0          0         0            0         0          0         0          0          0            0\n       Moderate              15             0         0          0        15            0         0          0         0          0          0            0\n       Low                    1             0         0          0         1            0         0          0         0          0          0            0\n       Not Categorized        0             0         0          0         0            0         0          0         0          0          0            0\n       Sub-total             16             0         0          0        16            0         0          0         0          0          0            0\nOIG    High                   0             0         0          0         0            0         0          0         0          0          0            0\n       Moderate               1             0         0          0         1            0         0          0         0          0          0            0\n       Low                    0             0         0          0         0            0         0          0         0          0          0            0\n       Not Categorized        0             0         0          0         0            0         0          0         0          0          0            0\n       Sub-total              1             0         0          0         1            0         0          0         0          0          0            0\nOTS    High                   0             0         0          0         0            0         0          0         0          0          0            0\n\n\n\n\n                                                                                                                                          Page I-11\n\x0c                                                                    Question 1                                                            Question 2\n                                               a.                       b.                   c.                        a.                     b.                   c.\n                                         Agency Systems         Contractor Systems    Total Number of          Number of systems     Number of systems     Number of systems\n                                                                                          Systems                certified and        for which security       for which\n                                                                                        (Agency and               accredited          controls have been   contingency plans\n                                                                                     Contractor systems)                             tested and reviewed   have been tested in\n                                                                                                                                       in the past year     accordance with\n                                                                                                                                                                 policy\n\n\n                                                                                                 Total\n                    FIPS 199 System              Number                   Number      Total                     Total    Percent      Total     Percent     Total     Percent\n Bureau Name                          Number                    Number                          Number\n                    Impact Level                 Reviewed                 Reviewed   Number                    Number    of Total    Number     of Total   Number     of Total\n                                                                                                Reviewed\n                    Moderate                 8            114         0          0          8              1         0        0%            0       0%           0          0%\n                    Low                      0              0         0          0          0              0         0          0           0         0          0            0\n                    Not Categorized          0              0         0          0          0              0         0          0           0         0          0            0\n                    Sub-total                8              1         0          0          8              1         0        0%            0       0%           0          0%\n TIGTA              High                     0             0          0          0          0              0         0          0           0         0          0            0\n                    Moderate                 2             0          0          0          2              0         0          0           0         0          0            0\n                    Low                      0             0          0          0          0              0         0          0           0         0          0            0\n                    Not Categorized          0             0          0          0          0              0         0          0           0         0          0            0\n                    Sub-total                2              0         0          0          2              0         0          0           0         0          0            0\n TTB                High                     0              0         0          0          0              0         0          0           0         0          0            0\n                    Moderate                17              3         0          0         17              3         3      100%            3     100%           3        100%\n                    Low                      1             0          0          0          1              0         0         0            0        0           0           0\n                    Not Categorized          0             0          0          0          0              0         0         0            0        0           0           0\n                    Sub-total               18              3         0          0         18              3         3      100%            3     100%           3        100%\n Agency Totals      High                    32             1         6           1         38           2            2                     2                     2\n                    Moderate               351            28        17           2        368          30           29                    29                    29\n                    Low                     97            13         2           0         99          13           13                    13                    13\n                    Not Categorized          0             0         0           0          0           0            0                     0                     0\n                    Total                  480            42        25           3        505          45           44                    44                    44\n\n\n\n\n14\n     One OTS system selected in our representative subset of Treasury information system was identified as operating with an IATO.\n\n\n                                                                                                                                                              Page I-12\n\x0c            Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n3.a.   The agency performs oversight and evaluation to ensure information systems        Almost Always- for example, approximately 96-100% of the time\n       used or operated by a contractor of the agency or other organization on behalf\n       of the agency meet the requirements of FISMA, OMB policy and NIST\n       guidelines, national security policy, and agency policy.\n\n       Agencies are responsible for ensuring the security of information systems used\n       by a contractor of their agency or other organization on behalf of their\n       agency; therefore, self reporting by contractors does not meet the\n       requirements of law. Self-reporting by another Federal agency, for example,\n       a Federal service provider, may be sufficient. Agencies and service providers\n       have a shared responsibility for FISMA compliance.\n\n       Response Categories:\n         - Rarely- for example, approximately 0-50% of the time\n         - Sometimes- for example, approximately 51-70% of the time\n         - Frequently- for example, approximately 71-80% of the time\n         - Mostly- for example, approximately 81-95% of the time\n         - Almost Always- for example, approximately 96-100% of the time\n3.b.   The agency has developed a complete inventory of major information systems              The inventory is approximately 96-100% complete\n       (including major national security systems) operated by or under the control\n       of such agency, including an identification of the interfaces between each such\n       system and all other systems or networks, including those not operated by or\n       under the control of the agency.\n\n       Response Categories:\n        - The inventory is approximately 0-50% complete\n        - The inventory is approximately 51-70% complete\n        - The inventory is approximately 71-80% complete\n        - The inventory is approximately 81-95% complete\n        - The inventory is approximately 96-100% complete\n3.c.   The IG generally agrees with the Chief Information Officer (CIO) on the                                       Yes\n       number of agency-owned systems. Yes or No.\n\n\n\n                                                                                                                                         Page I-13\n\x0c                        Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.d.         The IG generally agrees with the CIO on the number of information systems                                  Yes\n                   used or operated by a contractor of the agency or other organization on behalf\n                   of the agency. Yes or No.\n      3.e.         The agency inventory is maintained and updated at least annually. Yes or No.                               Yes\n\n      3..f.        If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as 96-100% complete, please identify the known missing systems by\n                   Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if known), and\n                   indicate if the system is an agency or contractor system.\n                                                                                      Exhibit 53 Unique Project\n              Component/Bureau                        System Name                                                         Agency or Contractor system?\n                                                                                          Identifier (UPI)\nN/A                                        N/A                                  N/A                               N/A\n\nNumber of known systems missing\n                                           0\nfrom inventory:\n\n\n\n\n                                                                                                                                                  Page I-14\n\x0c                                   Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the degree\nto which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments in the area\nprovided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n\n                      The POA&M is an agency-wide process, incorporating all known IT\n                      security weaknesses associated with information systems used or\n       4.a.                                                                                          Almost Always- for example, approximately 96-100% of the time\n                      operated by the agency or by a contractor of the agency or other\n                      organization on behalf of the agency.\n                      When an IT security weakness is identified, program officials (including\n       4.b.           CIOs, if they own or operate a system) develop, implement, and manage          Almost Always- for example, approximately 96-100% of the time\n                      POA&Ms for their system(s).\n                      Program officials and contractors report their progress on security\n        4.c.                                                                                         Almost Always- for example, approximately 96-100% of the time\n                      weakness remediation to the CIO on a regular basis (at least quarterly).\n\n                      Agency CIO centrally tracks, maintains, and reviews POA&M activities\n       4.d.                                                                                          Almost Always- for example, approximately 96-100% of the time\n                      on at least a quarterly basis.\n\n        4.e.          IG findings are incorporated into the POA&M process.                           Mostly- for example, approximately 81-95% of the time\n                      POA&M process prioritizes IT security weaknesses to help ensure\n        4.f.          significant IT security weaknesses are addressed in a timely manner and        Almost Always- for example, approximately 96-100% of the time\n                      receive appropriate resources.\n\n\n\n\n                                                                                                                                                       Page I-15\n\x0c                                    Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the degree\nto which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments in the area\nprovided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n\n                      Treasury OIG Comment: Overall, our audit of the non-IRS bureaus of the Treasury displayed a consistent approach to the development, implementation and\n                      management of a Treasury-wide POA&M process. The Treasury has developed policy and guidance and implemented a POA&M process that is followed by each\n                      Treasury bureau. In addition, the Treasury OCIO has implemented TAF to serve as a Treasury-wide system of record for all FISMA related artifacts, including IT\n                      security weaknesses. In instances were detailed IT security weaknesses and corrective actions were not incorporated into TAF, we noted that bureaus maintained\nPOA&M process         system-level POA&Ms to track the status of security weaknesses and related corrective action.\n  comments:\n                      TIGTA Comment: The IRS has an agency-wide process for managing POA&Ms, which generally includes incorporating findings from our audit reports.\n                      However, TIGTA findings reported in 2008 were not included in the IRS POA&M process as they had been in prior years.\n\n\n\n\n                                                                                                                                                                    Page I-16\n\x0c                                          Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and standards. Provide\nnarrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information\nand Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk\nassessments and security plans.\n\n\n                     The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                     Response Categories:\n                      - Excellent\n       5.a.                                                                                                                                                    Satisfactory\n                      - Good\n                      - Satisfactory\n                      - Poor\n                      - Failing\n\n                     The IG\'s quality rating included or considered the following aspects of the C&A                   Security plan                                      X\n                     process: (check all that apply)\n                                                                                                                       System impact level                                X\n                                                                                                                       System test and evaluation                         X\n                                                                                                                       Security control testing                           X\n       5.b.\n                                                                                                                       Incident handling                                  X\n                                                                                                                       Security awareness training                        X\n                                                                                                                       Configurations/patching                            X\n                                                                                                                       Other:\n                     Treasury OIG Comment: The assessment of the quality of the certification and accreditation process involved the inspection of the documentation used to certify\n                     and accredit a representative subset of 23 major application, minor application, and general support systems across six (6) of the 12 non-IRS Treasury bureaus. Test\n  C&A process\n                     work involved an inspection of system security plan, NIST FIPS 199 system impact level documentation, security test and evaluation reports, continuous monitoring\n   comments:\n                     documentation, incident handling documentation, security awareness documentation, and configuration management documentation. Test work identified\n                     inconsistencies in the processes used to design, implement, and/or test the NIST SP 800-53 minimum security control baseline at three (3) bureaus. Specifically,\n\n\n\n\n                                                                                                                                                                        Page I-17\n\x0cseven (7) of the 23 systems selected across two (2) bureaus in the representative statistical sample of Treasury systems did not have all of the minimum baseline\nsecurity controls tested and evaluated prior to the decision to issue an authorization operate. In addition, the specific NIST SP 800-53 minimum baseline controls\nrequired by NIST FIPS 200 were not documented within the system security plans of these systems. Lastly, one (1) system within our representative subset has yet\nto have the NIST SP 800-53 minimum security control baseline fully implemented. This system is currently operating with an IATO.\n\nTreasury OIG Comment: In the FY 2007 FISMA reporting period, it was identified that several elements required by NIST SP 800-34 were missing from a CDFI\nFund contingency plan. As of the close of the FY 2008 FISMA reporting period, these elements were still missing.\n\nTIGTA Comment: The IRS has made significant progress in its certification and accreditation process. We evaluated the quality of the certification and\naccreditation process for all 11 of the systems in our sample of 22 that were certified and accredited in 2008. We determined that all 11 systems were properly\ncertified and accredited in accordance with NIST guidelines.\n\nFor the remaining systems in our sample, we reviewed the adequacy of annual testing of security controls. The IRS made significant progress this year in this area.\nAn appropriate subset of management, operational, and technical controls was selected, documented, and approved for each of the 11 systems we reviewed.\nHowever, the testing of operational and technical controls needs improvement to meet NIST and IRS guidelines. Thirty-seven percent of the operational controls\nwere not adequately tested, and 67 % of the technical controls were not adequately tested.\n\nWe also examined Information Technology Contingency Plan testing for all 22 systems in our sample, which has improved in the past year. This year the IRS\nimplemented a revised testing program and improved its testing guidance. Adequate tabletop testing was performed for all systems and functional testing was\nperformed for 10 systems in our sample that required this testing. However, improvements are needed to ensure that functional testing meets Department of the\nTreasury and IRS guidelines.\n\n\n\n\n                                                                                                                                                  Page I-18\n\x0c                        Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n          6\n                       Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in Section\n                       D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and standards.\n\n                       Response Categories:\n                                                                                                                                                          Satisfactory\n                        - Response Categories:\n                        - Excellent\n                        - Good\n                        - Satisfactory\n                        - Poor\n                        - Failing\n\n                       Treasury OIG Comment: The Senior Agency Official for Privacy (SAOP) and the Treasury Office of Privacy and Treasury Records have issued Treasury\n                       Directive (TD) 25-07 Privacy Impact Assessment (PIA) on August 6, 2008 and drafted TD P 25-07 Privacy Impact Assessment Manual. This directive and related\n                       procedures manual are being followed by all bureaus for the performance of a PIA. However, these documents were in draft during the FY 2008 FISMA reporting\n                       period. Non-IRS Treasury bureaus have been using the draft directive and related procedures manual to perform PIAs. We noted that all systems within the\n                       representative subset of 23 non-IRS Treasury systems had a PIA performed that met the guidance outlined in this draft directive and procedures manual.15\n Comments:\n\n                       TIGTA Comment: During the past year, the IRS has continued to take steps to better protect the privacy of taxpayers. We determined that a PIA was prepared\n                       according to IRS guidelines for each of the 22 systems in our representative sample.\n\n\n\n\n15\n A separate performance audit report on the Treasury\xe2\x80\x99s compliance with Section 522, Division H of the Consolidated Appropriations Act, 2005, and the provisions of\nOMB Memorandum 07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information will be issued.\n\n\n                                                                                                                                                                    Page I-19\n\x0c             Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n      7\n            Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the provisions of M-07-16\n            Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n\n            Response Categories:\n                                                                                                                                                  Poor\n             - Response Categories:\n             - Excellent\n             - Good\n             - Satisfactory\n             - Poor\n             - Failing\n\n            Treasury OIG Comment: The purpose of OMB Memorandum 07-16 is to instruct agencies to develop breach notification policies based on the guidance\n            contained with the memorandum no later then September 19, 2007. The SAOP and the Treasury Office of Privacy and Treasury Records have developed TD 25-\n            08 Personally Identifiable Information (PII) Protection, Breach Response, and Notification. While this TD was still under review by the SAOP at the conclusion\n            of fieldwork, the policies outlined within were being followed by each of the 12 non-IRS bureaus.\n\nComments:   TIGTA Comment: The IRS has also taken steps to implement OMB Memorandum 07-16 requirements for safeguarding against and responding to the breach of\n            PII. The IRS has developed plans to respond to PII breaches and to reduce the use of Social Security Numbers. In 2008, the IRS also conducted a program to\n            refresh employee awareness of existing policies and procedures about encrypting, safeguarding, and protecting sensitive information.\n\n\n\n\n                                                                                                                                                            Page I-20\n\x0c                                                     Question 8: Configuration Management\n     8.a.   Is there an agency-wide security configuration policy? Yes or No.                                                                      Yes\nComments:   Treasury OIG Comment: Treasury OCIO TCIO Memorandum 07-01 Security Configuration and Vulnerability Management Policy, which became effective on\n            April 1, 2007, requires all Treasury bureaus to develop and/or implement configuration baselines that are compliant with NIST SP 800-70 on all operating systems\n            and platforms. In addition, the Treasury OCIO released TCIO Memorandum 07-04 Implementation of Common Security Configuration for IT Systems Using\n            Windows XP or Vista on April 17, 2007, which requires all Bureaus to implement common security configurations for Windows XP and Vista systems (i.e. FDCC)\n            no later then February 1, 2008.\n\n     8.b.   Approximate the extent to which applicable systems implement common security configurations, including use of\n            common security configurations available from the National Institute of Standards and Technology\xe2\x80\x99s website at                          Frequently- for\n            http://checklists.nist.gov.                                                                                                            example, approximately\n                                                                                                                                                   71-80% of the time\n            Response categories:\n\n\n             -   Rarely- for example, approximately 0-50% of the time\n             -   Sometimes- for example, approximately 51-70% of the time\n             -   Frequently- for example, approximately 71-80% of the time\n             -   Mostly- for example, approximately 81-95% of the time\n             -   Almost Always- for example, approximately 96-100% of the time\n\n\n     8.c.   Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:\n\n\n            c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or\n                                                                                                                                                   Yes\n            No.\n\n\n            c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of Information\n                                                                                                                                                   Yes\n            Technology", is included in all contracts related to common security settings. Yes or No.\n\n\n            c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No.                                 No\n\nComments:   Treasury OIG Comment: Question 8.b \xe2\x80\x93 From our representative statistical sample of 23 non-IRS information systems, we determined that one (1) system at\n            each of two (2) bureaus were not using NIST SP 800-70 common security configuration baselines during the FY 2008 FISMA reporting period. As a result, we\n            determined that NIST SP 800-70 common security configurations are applied to 94% of the systems within our representative subset of non-IRS systems. When\n            combined with the total percentage of instances of the Microsoft Windows XP operating systems running the FDCC secure baseline configurations, with\n\n\n\n                                                                                                                                                              Page I-21\n\x0c                                        Question 8: Configuration Management\ndeviations, the total percentage of implementation of NIST SP 800-70 common security configurations becomes 83%.\n\nTreasury OIG Comment: Question 8.c.2 \xe2\x80\x93 Our response is based on the review of a selection of contracts at BEP, BPD, DO, and FMS.\n\nTreasury OIG Comment: Question 8.c.3 \xe2\x80\x93 As noted in 8.a. above, Treasury required the adoption of FDCC standard configurations. To date, four (4) have not\nimplemented the FDCC secure baseline configuration across all workstations. In total, we determined that non-IRS Treasury is approximately 82% complete in\nimplementing FDCC secure configuration baselines on all instances of the Microsoft Windows XP platform.\n\nTIGTA Comment: Question 8.b \xe2\x80\x93 The IRS provided test results that demonstrated an overall rate of 71% to 80% for implementing security configurations. In\ngeneral, we agreed with the IRS\xe2\x80\x99 compliance assessment, with one exception. The IRS used external scanning software to assess compliance for one of its most\nheavily used database products instead of using a scanner that can authenticate to the database and assess internal database configurations.\n\nTIGTA Comment: Question 8.c.3 \xe2\x80\x93 The IRS has adopted the FDCC standard configurations in its workstation security policies and compliance assessment tools.\nIt has documented 11 deviations from the FDCC and the business reasons why the settings cannot be implemented, which have been reported along with other\nnoncompliant settings to the Department of the Treasury. The IRS continues to test FDCC standard configurations and therefore has only partially implemented\nthe FDCC. The IRS is currently testing settings to determine whether they can be implemented; it has confirmed compliance with 89 FDCC settings in its test\nenvironment. However, the IRS has not yet validated that these settings are implemented on IRS workstations. The IRS compliance assessment tool, recently\nconfigured to assess compliance with some FDCC settings, is in the initial stages of assessing IRS workstations.\n\n\n\n\n                                                                                                                                              Page I-22\n\x0c                                                                    Question 9: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. If\nappropriate or necessary, include comments in the area provided below.\n\n                    The agency follows documented policies and procedures for identifying and reporting incidents internally. Yes or\n       9.a.                                                                                                                                                  No\n                    No.\n                    The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No.\n       9.b.                                                                                                                                                  No\n                    (http://www.us-cert.gov)\n\n       9.c.         The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.                                       Yes\n\nComments:           Treasury OIG Comment: The Treasury OCIO Cyber Security program and the TCSIRC have developed policies, guidance, and procedures for reporting\n                    computer security incidents internally, as well as for the reporting computer security incidents to the US-CERT and to law enforcement. However, nine (9) out of\n                    38 computer security incidents sampled (or 24%) from the total population of US-CERT Category 1 through Category 4 computer security incidents across the 12\n                    non-IRS bureaus (147) in the FY 2008 FISMA reporting period were incorrectly categorized. In addition, three (3) category 1 computer security incidents out of\n                    38 computer security incidents sampled (or 8%) from the total population of US-CERT Category 1 through Category 4 computer security incidents across the 12\n                    non-IRS bureaus (147) in the FY 2008 FISMA reporting period were not reported based on the timeframes established by the US-CERT and Treasury OCIO\n                    policy.\n\n                    TIGTA Comment for IRS: IRS reports directly to the TCSIRC, not US-CERT.\n\n\n\n\n                                                                                                                                                                       Page I-23\n\x0c                                                         Question 10: Security Awareness Training\n\nHas the agency ensured security awareness training of all employees, including contractors and those\nemployees with significant IT security responsibilities?\n\nResponse Categories:\n                                                                                                          Almost Always- or approximately 96-100% of\n - Rarely- or approximately 0-50% of employees\n                                                                                                          employees\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n\n                                          Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web technologies and peer-to-peer\nfile sharing in IT security awareness training, ethics training, or any other agency-wide training? Yes   Yes\nor No.\n\n                                                        Question 12: E-Authentication Risk Assessments\n\n12.a. Has the agency identified all e-authentication applications and validated that the applications\nhave operationally achieved the required assurance level in accordance with the NIST Special              No\nPublication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d? Yes or No.\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not implemented   While the Treasury OIG answered \xe2\x80\x9cYes\xe2\x80\x9d to this question for\nthe e-authentication guidance and indicate if the agency has a planned date of remediation.               the representative subset of Treasury systems selected at the\n                                                                                                          non-IRS bureaus, TIGTA reported that for IRS three of the five\n                                                                                                          e-authentication applications were not validated to determine\n                                                                                                          whether the applications operationally achieved the required\n                                                                                                          assurance level. The IRS plans to revise its process for\n                                                                                                          validating e-authentication assurance levels during the FY 2009\n                                                                                                          FISMA reporting period.\n\n\n\n\n                                                                                                                                                           Page I-24\n\x0cAPPENDIX II \xe2\x80\x93 APPROACH TO THE SELECTION OF THE SUBSET OF SYSTEMS\n\nKPMG\xe2\x80\x99s approach for the selection of a representative subset of Treasury systems was based on applying\nan attribute random sampling formula per GAO/President\xe2\x80\x99s Council on Integrity and Efficiency Financial\nAudit Manual guidance for tests of controls. A standard sample size of 45 items is generally\nrecommended for test of controls based on a 90% confidence level and a 10% precision level or error rate\nthat the results will not be representative of the population. This confidence level is generally appropriate\nfor test of controls because the auditor obtains additional satisfaction regarding controls through other\ntests such as substantive tests, inquiry, observation, and walkthroughs.16\n\nThe following table shows the approach taken for sampling 45 Treasury systems that included a breakout\nbetween Treasury IRS17 and non-IRS systems, per OIG scope requirements:\n\n                                                                      Low Risk (90%\n                           Component      Time period                 confidence level\n                                                                    and 10% precision)\n                                          As of June 10                    20\n                           IRS\n                                          From June 10 to June 30           2\n                                          As of June 10                    21\n                           Non-IRS\n                                          From June 10 to June 30           2\n                           Total                                           45\n\nA sample of 41 systems was initially selected using the June 10, 2008 universe and four (4) systems were\nselected from the June 30, 2008 universe. The allocation of selections in the sample was proportional to\nthe number of systems in the population, therefore, out of the sample of 45, 22 selected were IRS systems\nand 23 were Non-IRS systems. The first sample of 41 systems included 20 systems of the IRS sub-\npopulation and 21 for the Non-IRS population. The final four (4) samples contained two (2) selections for\neach group.\n\n\n\n\n16\n   GAO/President\xe2\x80\x99s Council on Integrity and Efficiency Financial Audit Manual, Section 450 \xe2\x80\x93 Sampling Control\nTests, July 2001.\n17\n   Test work performed over Treasury IRS system was performed by TIGTA; not by KPMG.\n                                                                                                      Page II-1\n\x0cAPPENDIX III - ACRONYM LISTING\nAcronym   Definition                                         Acronym    Definition\n          Associate Chief Information Officer for Cyber      IT         Information Technology\nACIOCS\n          Security\nBEP       Bureau of Engraving and Printing                   Mint       United States Mint\nBPD       Bureau of the Public Debt                          NIST       National Institute of Standards and Technology\nC&A       Certification and Accreditation                    OCC        Office of the Comptroller of Currency\nCDFI      Community Development Financial Institution        OCIO       Office of the Chief Information Officer\nCI/KR     Critical Infrastructure/Key Resources              OMB        Office of Management and Budget\nCIO       Chief Information Officer                          OIG        Office of the Inspector General\nCIP       Critical Infrastructure Protection                 OTS        Office of Thrift Supervision\nCSIRC     Computer Security Incident Response Capability     PIA        Privacy Impact Assessment\nCSS       Cyber Security Sub-Council                         PII        Personally Identifiable Information\nDO        Departmental Offices                               POA&M      Plan of Action and Milestones\nFDCC      Federal Desktop Core Configuration                 Revision   Rev\nFinCEN    Financial Crimes Enforcement Network               SAOP       Senior Agency Official for Privacy\nFIPS      Federal Information Processing Standards           SP         Special Publication\nFISMA     Federal Information Security Management Act        TAF        Trusted Agent FISMA\nFMS       Financial Management Service                       TCIO       Treasury Chief Information Officer\nFY        Fiscal Year                                        TCSIRC     Treasury Computer Security Incident Response\n                                                                        Capability\nGAGAS     Generally Accepted Government Auditing Standards   TD         Treasury Directive\nGAO       Government Accountability Office                   TD P       Treasury Directive Publication\nHSPD      Homeland Security Presidential Directive           TIGTA      Treasury Inspector General for Tax Administration\nIATO      Interim Authority to Operate                       TTB        Alcohol and Tobacco Tax and Trade Bureau\nIG        Inspector General                                  US-CERT    United States Computer Emergency Readiness\n                                                                        Team\nIRS       Internal Revenue Service\n\n\n\n\n                                                                                                         Page III-1\n\x0c            ATTACHMENT 2\n\n    Treasury Inspector General for Tax\n Administration\xe2\x80\x93Federal Information Security\nManagement Act Report for Fiscal Year 2008,\n            September 10, 2008\n\x0c                                               DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n   FOR TAX ADMINISTRATION\n\n\n\n\n                                            September 10, 2008\n\n\nMEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT\n               OFFICE OF THE TREASURY INSPECTOR GENERAL\n\nFROM:                        Michael R. Phillips\n                             Deputy Inspector General for Audit\n\nSUBJECT:                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                             Information Security Management Act Report for Fiscal Year 2008\n                             (Audit #200820024)\n\nWe are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\nInformation Security Management Act (FISMA) 1 report for Fiscal Year 2008. The FISMA\nrequires the Office of Inspector General to perform an annual independent evaluation of\ninformation security policies, procedures, and practices and compliance with FISMA\nrequirements. As such, this report presents the results of our independent evaluation of the\nInternal Revenue Service\xe2\x80\x99s (IRS) information technology security program.\nWe based our evaluation on the Office of Management and Budget (OMB) FISMA reporting\nguidelines for 2008 and the answers to the questionnaire published with the OMB guidelines\n(see Attachment I). During the 2008 evaluation period, 2 we also conducted nine audits to\nevaluate the adequacy of information security in the IRS (see Attachment II). We considered the\nresults of those audits when making our assessment. Major contributors to this report are listed\nin Attachment III.\nTo complete our review, we evaluated a representative sample of 22 IRS information systems to\nassess the quality of the certification and accreditation process. For these systems, we also\nassessed the annual testing of controls for continuous monitoring, testing of Information\nTechnology Contingency Plans, and quality of the Plan of Action and Milestones process. We\nconducted separate tests to evaluate processes for inventory accuracy, configuration\nmanagement, incident reporting, awareness training, and information privacy.\nOverall, the IRS has made steady progress in complying with FISMA requirements since\nenactment of the FISMA in 2002, and it continues to place a high priority on efforts to improve\n\n1\n Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n2\n The FISMA evaluation period for the Department of the Treasury is July 1, 2007, through June 30, 2008.\nHereafter, all references to 2008 refer to the FISMA evaluation period.\n\x0cits security program. We observed significant improvements in the areas of security that we had\nidentified as needing improvement in our 2007 FISMA evaluation. 3 In addition, during 2008,\nthe IRS Modernization and Information Technology Services organization Cybersecurity office\ntook steps to achieve efficiencies in the certification and accreditation process. It realigned its\ngeneral support system structure by functional rather than physical boundaries, which reduced\nthe number of general support systems and improved mapping to applications. It also\nstreamlined the certification and accreditation process for low-impact systems to reduce costs\nand improve scheduling capabilities. During 2008, the IRS certified and accredited the last of its\nsystems that had not previously been assessed through a National Institute of Standards and\nTechnology (NIST) 4 -compliant certification and accreditation process. The IRS also continued\nto work closely in seeking guidance and concurrence on FISMA issues with the Treasury\nInspector General for Tax Administration and the Department of the Treasury Chief Information\nOfficer to improve compliance with the NIST and FISMA requirements.\nOur evaluation of the IRS\xe2\x80\x99 2008 performance against specific OMB security measures and our\naudit work performed during 2008 show that while the IRS improved its certification and\naccreditation process, more needs to be done to adequately secure its systems and data. The\nmost significant area of concern is implementation of configuration management standards.\nAttachment I provides our responses to the OMB FISMA questions for the Inspector General.\nWe are confident that the IRS systems inventory is substantially complete, the Plan of Action\nand Milestones process is adequate to ensure the remediation of security weaknesses, and\npolicies and procedures are followed for reporting computer security incidents. Provided in this\ndocument are security performance improvements as well as areas that require additional\nattention.\nCertification and Accreditation Process The IRS has made significant progress in its\ncertification and accreditation process. Therefore, this year we evaluate this process as good.\nHowever, the IRS needs to continue to improve the process to ensure that the level of annual\nsecurity controls and contingency plan testing is sufficient.\nThe OMB guidelines for minimum security controls in Federal Government information systems\nrequire that all systems be certified and accredited every 3 years or when major system changes\noccur. The NIST provides guidelines for conducting the certifications and accreditations. In our\n2007 FISMA evaluation, we reported that the IRS had implemented a satisfactory certification\nand accreditation process. This year the IRS completed this implementation, and it has now\nsubjected all systems to the process. We evaluated the quality of the certification and\naccreditation process for all 11 of the systems in our sample of 22 that were certified and\naccredited in 2008. We determined that all 11 systems were properly certified and accredited in\naccordance with NIST guidelines.\nFor the remaining systems in our sample, we reviewed the adequacy of annual testing of security\ncontrols for continuous monitoring. The IRS made significant progress this year in this area. An\n\n3\n  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal Information Security Management Act Report for\nFiscal Year 2007 (Reference Number 2007-20-186, dated September 4, 2007).\n4\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements for providing adequate information security for all Federal Government agency operations\nand assets.\n                                                                                                                  2\n\x0cappropriate subset of management, operational, and technical controls was selected, documented,\nand approved for each of the 11 systems we reviewed. However, the testing of operational and\ntechnical controls needs improvement and does not meet NIST and IRS guidelines. Overall,\n28 percent of the controls were not sufficiently tested for the 11 systems from our sample.\nThirty-seven percent of the operational controls were not adequately tested, and 67 percent of the\ntechnical controls were not adequately tested. These tests were limited to examining\ncertification and accreditation documentation without securing evidence from the system. As a\nresult, some tests were insufficient to identify controls that might not be operating as intended to\nprotect the systems and data.\nWe also examined the IRS\xe2\x80\x99 testing of Information Technology Contingency Plans, which has\nimproved in the past year. This year, the IRS implemented a revised testing program and\nimproved its testing guidance. Our review of the 22 systems in our sample determined that\nadequate tabletop 5 testing was performed for all systems. In addition, the IRS performed\nfunctional testing for the 10 systems in our sample for which this testing was required.\nHowever, improvements are needed to ensure that testing meets Department of the Treasury and\nIRS guidelines:\n    \xe2\x80\xa2   Supporting documentation for 4 of the 10 functional tests did not adequately support\n        testing results for verifying readability of backup tapes retrieved during the tests.\n    \xe2\x80\xa2   The IRS has not developed criteria to assess the timeliness of retrieving backup tapes\n        from offsite locations. In addition, the IRS did not compute the time for retrieving\n        backup tapes in any of the 10 functional tests.\n    \xe2\x80\xa2   The IRS performed only a limited test of timeliness for offsite retrieval of backup tapes,\n        including those from offsite vendors, during other than normal working hours. The IRS\n        conducted this test for only one system and did not document the results. IRS\n        management informed us that this was a cost-based decision due to the limited funding\n        for these tests.\n    \xe2\x80\xa2   Testing plans and results did not include a description of the sampling methodology used\n        for retrieving and validating the readability of backup files. IRS procedures recommend\n        that a sample of files, rather than the entire population, be selected for testing and that the\n        sample be selected at random.\nPlan of Action and Milestones Process The IRS has an agency-wide process for managing\nPlans of Action and Milestones, which generally includes incorporating findings from our audit\nreports. However, our findings reported in 2008 were not included in the IRS Plan of Action and\nMilestones process as they had been in prior years. Based on our discussions with IRS\nmanagement, we determined that responsibilities for this part of the Plan of Action and\nMilestones process were inadequately transferred between employees.\nPrivacy Requirements During the past year, the IRS has continued to take steps to better\nprotect the privacy of taxpayers. We determined that a Privacy Impact Assessment 6 was\n\n5\n  Participants in tabletop exercises walk through the contingency plan procedures to ensure that the documentation\nreflects the ability to adequately perform the tasks outlined without any recovery operations actually occurring.\n6\n  This is an analysis of how personal information is collected, stored, shared, and managed in a Federal Government\nsystem.\n                                                                                                                  3\n\x0cprepared according to IRS guidelines for each of the 22 systems in our representative sample.\nThe IRS has also taken steps to implement OMB requirements for safeguarding against and\nresponding to the breach of personally identifiable information (PII). The IRS has developed\nplans to respond to PII breaches and to reduce the use of Social Security Numbers. In 2008, the\nIRS also conducted a program to refresh employee awareness of existing policies and procedures\nabout encrypting, safeguarding, and protecting sensitive information. As a result, we are\nevaluating the IRS\xe2\x80\x99 progress in implementing OMB requirements for safeguarding against and\nresponding to breaches of PII as good.\nHowever, we continue to have concerns about the IRS\xe2\x80\x99 overall ability to adequately protect PII.\nIn particular, weaknesses in access controls, audit trails, and system configuration settings\ndirectly affect the IRS\xe2\x80\x99 ability to protect PII. In 2008, our audits continued to identify\nweaknesses in the IRS\xe2\x80\x99 ability to adequately secure its systems and protect PII. Attachment II\npresents a list of these reports.\nSecurity Configurations The OMB requires agencies to have configuration guides in place to\nensure consistent implementation of software across the agency. The IRS has an agency-wide\nsecurity configuration policy but needs to do more to ensure that information systems apply\ncommon security configurations established by the NIST.\nThe IRS provided test results that demonstrated an overall rate of 71 percent to 80 percent for\nimplementing security configurations. In general, we agreed with the IRS\xe2\x80\x99 compliance\nassessment, with one exception. The IRS used external scanning software to assess compliance\nfor one of its most heavily used database products instead of using a scanner that can\nauthenticate to the database and assess internal database configurations.\nDuring our evaluation, we also identified software used by the IRS for which compliance with\nNIST or IRS standard configurations was not reported. The software includes firewalls, systems\nmanagement computers, web servers, handheld device servers, and mainframes. The software\nshould be included in the IRS\xe2\x80\x99 2009 FISMA assessment.\nIn this year\xe2\x80\x99s assessment, the OMB also requires an evaluation of agency progress in\nimplementing the Federal Desktop Core Configuration (FDCC) standard configurations. We are\ncurrently conducting an audit in this area and will further evaluate the IRS\xe2\x80\x99 progress in\nimplementing these configurations. Our evaluation below is based on the IRS\xe2\x80\x99 progress as of\nJune 30, 2008.\nThe IRS has adopted the FDCC standard configurations in its workstation security policies and\ncompliance assessment tools. It has documented 11 deviations from the FDCC and the business\nreasons why the settings cannot be implemented, which have been reported along with other\nnoncompliant settings to the Department of the Treasury. The IRS continues to test FDCC\nstandard configurations and therefore has only partially implemented the FDCC. Based on\nguidance from the OMB that partial implementation is acceptable, and because the IRS followed\nthe Department of the Treasury process for reporting deviations, we determined that the agency\nhas adopted and implemented FDCC standard configurations and has documented deviations.\nThe IRS has also included new Federal Acquisition Regulation 7 language in three contracts that\nwe were able to review and has issued guidance on this requirement.\n\n7\n    48 C.F.R. ch. 1 (2006).\n                                                                                                  4\n\x0cHowever, we were unable to confirm that the IRS has implemented FDCC standard\nconfigurations on all Windows workstations. The OMB permits implementation to include those\nsettings for which deviations have been documented. The IRS is currently testing settings to\ndetermine whether they can be implemented; it has confirmed compliance with 89 FDCC\nsettings in its test environment. However, the IRS has not yet validated that these settings are\nimplemented on IRS workstations. The IRS compliance assessment tool, recently configured to\nassess compliance with some FDCC settings, is in the initial stages of assessing IRS\nworkstations. Therefore, we cannot validate that FDCC settings are implemented on all IRS\nworkstations.\nElectronic Authentication Risk Assessments Last year, we reported that the IRS completed\nelectronic authentication (e-authentication) risk assessments for its systems. While our review\nthis year continued to find that e-authentication risk assessments are completed, we do not have\nconfidence that applications have operationally achieved the required assurance level in\naccordance with NIST Electronic Authentication Guidelines (Special Publication 800-63).\nWe agree with the IRS\xe2\x80\x99 inventory of e-authentication applications and did not identify any\nadditional applications that should be included. However, the IRS has not consistently validated\nthe operation of e-authentication controls. The OMB requires Federal Government agencies to\nconduct a final validation confirming that systems achieve the required e-authentication\nassurance level. This validation should be performed as part of required security procedures,\nsuch as certification and accreditation or annual testing. We determined that three of the five\ne-authentication applications did not include e-authentication validation tests during certification\nand accreditation. The IRS has acknowledged the need to improve its e-authentication process\nand plans to revise its process for validating e-authentication assurance levels during the\n2009 FISMA reporting period.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant\nInspector General for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n\n\n                                                                                                   5\n\x0c                                         Attachment I\n\n\nDetails of the Treasury Inspector General for Tax\n  Administration Federal Information Security\n            Management Act Analysis\n\n\n\n\n                                                    6\n\x0c7\n\x0c8\n\x0c9\n\x0c10\n\x0c                                                                           Attachment II\n\n  Treasury Inspector General for Tax Administration\n   Information Technology Security Reports Issued\n          During the 2008 Evaluation Period\n\n1. Effectiveness of Access Controls Over System Administrator User Accounts Can Be\n   Improved (Reference Number 2007-20-161, dated September 19, 2007).\n2. Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative\n   Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030,\n   dated December 14, 2007).\n3. Internal Revenue Service Databases Continue to Be Susceptible to Penetration Attacks\n   (Reference Number 2008-20-029, dated December 14, 2007).\n4. Improvements Are Needed to the Information Security Program Governance Process\n   (Reference Number 2008-20-076, dated March 11, 2008).\n5. Actions Are Needed to Improve the Effectiveness of the Physical Security Program\n   (Reference Number 2008-20-077, dated March 13, 2008).\n6. Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer\n   Information (Reference Number 2008-20-071, dated March 26, 2008).\n7. Private Collection Agencies Adequately Protected Taxpayer Data (Reference\n   Number 2008-20-078, dated March 26, 2008).\n8. Control Weaknesses at Internal Revenue Service Internet Connections Increase Security\n   Risks (Reference Number 2008-20-143, dated July 17, 2008).\n9. Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue\n   Service Network (Reference Number 2008-20-159, dated August 26, 2008).\n\n\n\n\n                                                                                          11\n\x0c                                                                          Attachment III\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichael Howard, Audit Manager\nAlan Beber, Senior Auditor\nRichard Borst, Senior Auditor\nCharles Ekunwe, Senior Auditor\nMyron Gulley, Senior Auditor\nJody Kitazono, Senior Auditor\nThomas Nacinovich, Senior Auditor\nMidori Ohno, Senior Auditor\nJoan Raniolo, Senior Auditor\nJefferson Lee, Program Analyst\n\n\n\n\n                                                                                         12\n\x0c'